Professional Documents
Culture Documents
11.x Systems
Abstract
This document helps less experienced system administrators acquire basic patch-related skills and knowledge in a short period
of time and explains how to perform basic HP-UX patch management tasks. It aids system administrators in developing a basic
patch management strategy.
This document does not function as an all-encompassing source of information for patch management. It also does not guide
system administrators in determining the best or most efficient patch management strategy for their environment. Some
recommendations in this guide might differ from recommendations in guides that are targeted at more experienced system
administrators.
5992-4020 HP-UX 11.0, 11i v1, 11i v1.6, 11i March 2008
v2, 11i v3
5992-0674 HP-UX 11.0, 11i v1, 11i v1.6, 11i September 2007
v2, 11i v3
5991-6449 HP-UX 11.0, 11i v1, 11i v1.6, 11i February 2007
v2, 11i v3
5991-5309 HP-UX 11.0, 11i v1, 11i v1.6, 11i June 2006
v2
5991-4825 HP-UX 11.0, 11i v1, 11i v1.6, 11i March 2006
v2
5991-2722 HP-UX 11.0, 11i v1, 11i v1.6, 11i December 2005
v2
5991-1163 HP-UX 11.0, 11i v1, 11i v1.6, 11i May 2005
v2
5991-0686 HP-UX 11.0, 11i v1, 11i v1.6, 11i December 2004
v2
5990-6753a HP-UX 11.0, 11i v1, 11i v1.6, 11i September 2004
v2
5990-6753 HP-UX 11.0, 11i v1, 11i v1.6, 11i April 2004
v2
762796-001 HP-UX 11.0, 11i v1, 11i v1.6, 11i March 2014
v2
Contents
1 HP secure development lifecycle...................................................................7
2 HP-UX patches and patch management.........................................................8
Patch management strategies.....................................................................................................8
How to get patches..............................................................................................................9
Where to start.....................................................................................................................9
3 Quick start guide for patching HP-UX systems...............................................10
Overview..............................................................................................................................10
Before you begin....................................................................................................................10
Should you use standard HP-UX patch bundles?.....................................................................10
Should you use individual patches?......................................................................................10
Standard HP-UX patch bundles............................................................................................11
Acquiring and installing standard HP-UX patch bundles...............................................................11
Acquiring the bundles........................................................................................................11
Installing the bundles..........................................................................................................12
Advanced topic: using Dynamic Root Disk (DRD)....................................................................13
Acquiring and installing individual patches................................................................................14
Acquiring the patches.........................................................................................................14
Installing the patches..........................................................................................................16
Advanced topic: using Dynamic Root Disk (DRD)....................................................................17
4 HP-UX patch overview...............................................................................18
Patch-related concepts.............................................................................................................18
Patch identification.............................................................................................................18
HP-UX software structure.....................................................................................................18
Patch bundles....................................................................................................................19
Software depots and patch depots.......................................................................................20
Patch status.......................................................................................................................20
Patch state........................................................................................................................21
State................................................................................................................................21
Category tags...................................................................................................................22
Which patches are on a system?..............................................................................................23
Examples of the swlist command..........................................................................................23
Ancestors and supersession......................................................................................................27
Ancestors..........................................................................................................................27
Advanced topic: determining patch ancestors...................................................................27
Supersession.....................................................................................................................28
Advanced topic: displaying supersession information.........................................................29
Advanced topic: supersession and the patch_state attribute................................................29
Patch-related attributes.............................................................................................................31
Patch dependencies................................................................................................................33
Types of dependencies.......................................................................................................34
Corequisites and prerequisites.............................................................................................34
Advanced topic: determining corequisite and prerequisite filesets with the swlist command.....34
Enforced and unenforced (manual) dependencies..................................................................34
Impact of dependencies on acquiring patches.......................................................................35
Patch rollback and commitment................................................................................................35
Patch rollback....................................................................................................................35
Advanced topic: patch installation and rollback files..........................................................35
Patch commitment..............................................................................................................36
Advanced topic: patch cleanup utility...................................................................................36
HP-UX patch ratings................................................................................................................37
Contents 3
HP patch rating of 1 ..........................................................................................................37
Rating details ..............................................................................................................37
HP patch rating of 2 ..........................................................................................................37
Rating details ..............................................................................................................38
HP patch rating of 3 ..........................................................................................................38
Rating details ..............................................................................................................38
Critical and noncritical patches................................................................................................38
Finding information for a specific patch.....................................................................................39
Patch documentation..........................................................................................................39
Advanced topic: the readme attribute...................................................................................40
Obtaining information using the HPSC..................................................................................40
Accessing information on the HPSC.................................................................................41
Patch warnings.......................................................................................................................41
The warning field...............................................................................................................41
Critical and noncritical warnings..........................................................................................42
How to handle patch warnings............................................................................................42
Questions to ask................................................................................................................43
Advanced topic: finding patches with warnings.....................................................................43
Backup and recovery..............................................................................................................43
Considerations..................................................................................................................44
5 Patch management overview......................................................................45
Patch management life cycle....................................................................................................45
HP service contracts................................................................................................................48
Patch management and software change management strategies..................................................48
Establishing a software change management strategy ............................................................48
Recommendations for software change management .............................................................49
Consideration of HP patch rating.........................................................................................50
Patch management and software depots...............................................................................50
Proactive patching strategy..................................................................................................51
Acquiring patches for proactive patching.........................................................................51
Advanced topic: HP-UX Software Assistant........................................................................52
Reactive patching strategy...................................................................................................52
Acquiring patches for reactive patching ..........................................................................53
Advanced topic: security patching strategy ...........................................................................53
Advanced topic: scanning for security patches ......................................................................54
Testing the patches to be installed ............................................................................................54
6 What are standard HP-UX patch bundles?...................................................55
Key features...........................................................................................................................55
Standard HP-UX patch bundles.................................................................................................55
Obtaining standard HP-UX patch bundles..................................................................................57
7 Using the HP Support Center.....................................................................58
Obtaining an HPSC user account.............................................................................................58
Useful pages on the HPSC.......................................................................................................58
Find individual patches............................................................................................................59
Key features......................................................................................................................59
Accessing the patch database and finding an individual patch................................................59
Advanced topic: checking for special installation instructions........................................................61
Advanced topic: checking for all patch dependencies.................................................................62
Check for patches with dependencies...................................................................................62
Standard patch bundles...........................................................................................................65
Custom patch bundles - run a patch assessment..........................................................................65
Support information digests......................................................................................................65
Key features......................................................................................................................65
4 Contents
Ask your peers in the forums....................................................................................................65
Search knowledge base..........................................................................................................65
Key features .....................................................................................................................66
8 Using software depots for patch management..............................................67
Common software distributor commands for patching..................................................................67
Depot types...........................................................................................................................68
Directory depots................................................................................................................68
Tape depots......................................................................................................................69
Using depots..........................................................................................................................69
Choosing depot type and depot location..............................................................................70
Viewing depots......................................................................................................................70
Examples of the swlist command..........................................................................................71
Creating and adding to a directory depot.................................................................................72
Copying patches to depots..................................................................................................73
Advanced topic: HP-UX Software Assistant............................................................................74
Copying products with patch dependencies to depots.............................................................74
Registering and unregistering directory depots............................................................................75
Examples of registering and unregistering depots...................................................................75
Advanced topic: access control lists......................................................................................76
Verifying directory depots........................................................................................................76
Examples of verifying directory depots..................................................................................76
Removing software from a directory depot.................................................................................78
Advanced topic: removing superseded patches from a depot...................................................79
Removing a directory depot ....................................................................................................80
Installing patches from a depot.................................................................................................81
Examples of installing patches from a depot..........................................................................82
Installing products with patch dependencies from a depot.......................................................84
Custom patch bundles.............................................................................................................84
Examples of listing patches and bundles...............................................................................84
Creating a custom bundle...................................................................................................85
9 Using HP-UX Software Assistant for patch management.................................89
For more information...............................................................................................................89
10 Using Dynamic Root Disk for patch management........................................90
For more information...............................................................................................................91
11 The Patch Assessment Tool........................................................................92
Benefits of the Patch Assessment Tool.........................................................................................92
Using the Patch Assessment Tool...............................................................................................92
Example of running the Patch Assessment Tool............................................................................93
12 Support and other resources.....................................................................95
Contacting HP........................................................................................................................95
Before you contact HP........................................................................................................95
HP contact information.......................................................................................................95
Subscription service............................................................................................................95
Related information.................................................................................................................95
Documents........................................................................................................................95
HP websites......................................................................................................................96
Typographic conventions.........................................................................................................96
13 Documentation Feedback.........................................................................98
A Patch usage models..................................................................................99
Patch usage model 1: hardware/application software change....................................................100
Patch usage model 2: third-party hardware/software qualification..............................................104
Patch usage model 3: operating environment cold install...........................................................105
Contents 5
Patch usage model 4: operating environment update.................................................................107
Patch usage model 5: proactive patch.....................................................................................109
Patch usage model 6: reactive patch.......................................................................................110
Glossary..................................................................................................111
Index.......................................................................................................114
6 Contents
1 HP secure development lifecycle
Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides
the ability to authenticate HP-UX software. Software delivered through this release has been digitally
signed using HP's private key. You can now verify the authenticity of the software before installing
the products, delivered through this release.
To verify the software signatures in signed depot, the following products must be installed on your
system:
• B.11.31.1303 or later version of SD (Software Distributor)
• A.01.01.07 or later version of HP-UX Whitelisting (WhiteListInf)
To verify the signatures, run: /usr/sbin/swsign -v –s <depot_path>. For more information,
see Software Distributor documentation at http://www.hp.com/go/sd-docs
NOTE: Ignite-UX software delivered with HP-UX 11i v3 March 2014 release or later supports
verification of the software signatures in signed depot or media, during cold installation.
For more information, see Ignite-UX documentation at http://www.hp.com/go/ignite-ux-docs.
7
2 HP-UX patches and patch management
Patches are software that HP releases to deliver incremental updates to a system. Patches are best
known for delivering defect fixes, but also deliver new functionality and features, enable new
hardware, and update firmware. You can use HP-UX patches to update HP-UX software without
having to completely reinstall a system application. For a description of patches, see Chapter 4:
“HP-UX patch overview” (page 18).
You might wonder why you should be concerned with patch management. HP recommends that
you address patch management to reduce the risk of problems such as system hangs, panics,
memory leaks, data corruption, application failures, and security breaches. If your job involves
any of the following concerns, then you need patch management:
• Having proper system functionality and performance
• Maintaining system security
• Maintaining system reliability and availability
• Obtaining the latest system enhancements and functionality
• Reading about problems and solutions before you encounter them
• Limiting the number of patches to install if you encounter a problem
• Limiting the amount of time required to troubleshoot problems
Patch management involves any of the following tasks:
• Selecting or acquiring patches
• Applying patches
• Updating previously applied patches with more current patches
• Verifying patches
• Testing patches
• Listing patches already applied to existing software
• Copying patches
• Maintaining repositories, or depots, of patches for easy selection
• Committing applied patches
• Removing or rolling back applied patches
For a description of patch management, see Chapter 5: “Patch management overview” (page 45).
NOTE: You can approach patch management in many different ways with no one approach
being the correct way. You must base decisions regarding patch management on the specifics of
your individual situation. Even then, there might be more than one reasonable path.
Where to start
If you have immediate patching needs, see Chapter 3: “Quick start guide for patching HP-UX
systems” (page 10).
If you want to learn about patching options, read all chapters in this guide, and then choose the
resource that best meets your needs.
NOTE: You will require root user privileges to complete these procedures.
Overview
This quick start guides you through basic patch management tasks and provides minimal detail:
• “Before you begin” (page 10)
Before you acquire and install the patch bundles or individual patches, you should consider
some patch-related questions. See “Should you use standard HP-UX patch bundles?” (page 10)
and “Should you use individual patches?” (page 10).
• “Acquiring and installing standard HP-UX patch bundles” (page 11)
When initially patching a system, it is important to establish a stable baseline of patches. This
section shows you how to acquire and install the standard HP-UX patch bundles. See Chapter 6
(page 55) for more information.
• “Acquiring and installing individual patches” (page 14)
In addition to the standard HP-UX patch bundles, you might need to install individual patches.
For example, you might want more recent patches found on the HP Support Center (HPSC)
website than those contained in a standard HP-UX patch bundle on media. You might also
want the latest security patches.
For additional information, visit the HPSC website at http://www.hp.com/go/hpsc.
NOTE: In addition to the information in this guide, you should review the release notes for the
product you are patching.
NOTE: Standard HP-UX patch bundles are cumulative. The latest version of a bundle includes
patches from all previous versions. Also, the standard patch bundles might have overlapping
content. This will not affect the patching process.
NOTE: You must link your active HP support agreement (that includes Software Updates) to
your HPSC profile before downloading patches. Use the My Profile link for instructions after
completing login at the HPSC website.
◦ If the verification is successful, the last few lines of output contain the line "*
Verification succeeded."
◦ If the verification was not successful, view the /var/adm/sw/swagent.log file
for additional information related to the swverify command failure. If this is not
sufficient to resolve the problem, consult more advanced resources in Section :
“Related information” (page 95).
• View the swagent log file, located at /var/adm/sw/swagent.log. This log includes
information related to the installation.
◦ Find the section pertaining to the installation just performed (located near the end of
the file if you check it immediately after the install). Review this section and make
sure that there were no errors ("ERROR").
◦ If you find errors, consult more advanced resources in Section : “Related information”
(page 95) to resolve the problem.
NOTE: HP assigns each HP-UX patch a unique identification or patch ID. Each HP-UX patch ID
has the form PHXX_#####, where:
• PH is an abbreviation for Patch HP-UX
• XX is replaced with one of the following values for the HP-UX area being patched:
◦ CO = command patches
◦ KL = kernel patches
◦ NE = network patches
• This symbol means that the patch has a warning associated with it. You should review
the warning text to determine whether it applies to the system.
• This icon means that the patch has Special Installation Instructions. You should always
read them.
See Table 9: “Navigating the search results table” (page 60) for a description of all table
icons.
8. To review details about a patch, select the patch ID to open the patch details page.
At a minimum, you should review the information provided in the following fields:
• Special Installation Instructions: Read this section to determine if the chosen patch has
additional steps that you must perform during installation.
• Warning: This section will only exist if the patch has a warning associated with it. Carefully
read the information to determine how or whether the patch's problems will impact the
system. If the warning does impact the system, you must decide whether the problem
appears severe enough to avoid installing the patch. If this is the case, select an alternate
patch if one is available.
• Patch Dependencies, Hardware Dependencies, Other Dependencies: Note the patch IDs
because you must later verify that the patches are included on the list of patches that you
download.
9. When you finish viewing this page, return to the search results page.
10. On the search results page, check the box next to the patch ID of the patch to download.
TIP: If the recommended column appears, you should select the patch in that column unless
you have a valid reason not to.
11. Add the checked patch to the list of patches to download by clicking add to selected patch
list.
• If the patch you chose has a warning associated with it, the patch warning(s) page
appears.
• If this happens, verify the patch you are downloading and click continue.
• The selected patch list page is displayed.
12. The Patch Database might automatically add some patches to the download list to satisfy
dependencies. You should download these along with the patches you explicitly selected.
13. To add more patches to the patch list, click add patches.
14. After acquiring all the patches you need, click download selected to open the download
patches page.
15. Under the heading download items in one operation or download items individually, select
a format option (HP recommends gzip package) and a download server. Select a zip package
only if you are certain the HP-UX system can unpack a .zip file.
You can use the commands whereis(1) and which(1) to make sure you have the appropriate
software. For example, use whereis gzip to determine if the program is installed and use
which gzip to determine if the program is in your path.
◦ If the verification is successful, the last few lines of output contain the line "*
Verification succeeded."
◦ If the verification was not successful, view the /var/adm/sw/swagent.log filefor
additional information related to the swverify command failure. If this is not
sufficient to resolve the problem, consult more advanced resources in Section :
“Related information” (page 95).
• View the swagent log file, located at /var/adm/sw/swagent.log. This log includes
information related to the installation.
◦ Find the section pertaining to the installation just performed (located near the end of
the file if you check it immediately after the install). Review this section, and ensure
that there were no errors ("ERROR").
◦ If you find errors, consult more advanced resources in Section : “Related information”
(page 95) to resolve the problem.
◦ CO = command patches
◦ KL = kernel patches
◦ NE = network patches
◦ Although a patch has a unique name, the names of the filesets contained in a patch match
the corresponding base filesets that they patch.
• Product
◦ A product is a software object that is packaged and distributed for users to acquire and
install.
◦ Products are composed of one or more filesets and might additionally contain one or
more control scripts.
◦ A product can exist either within a bundle or as its own entity.
• Bundle
◦ If the products within the bundle are all patches, the bundle is known as a patch bundle.
For more information about these software objects, see the Software Distributor Administration
Guide on the HP Business Support Center website at http://www.hp.com/go/sd-docs.
Patch bundles
Patch bundles play an important role in patch management. A patch bundle is a collection of
patches that have been grouped into a single software object to meet a specific need. Many HP-UX
users find that acquiring and installing these bundles, as opposed to acquiring and installing
patches individually, simplifies the patch management process.
Your first encounter with patch bundles might be with the standard HP-UX patch bundles. These
bundles contain patches that HP has assembled to meet a specific need. For example, the basic
purpose of Quality Pack patch bundles is to deliver defect-fix patches for proactive maintenance.
HP releases updated versions of the bundles on a regular schedule and tests them to ensure a high
level of reliability. Using standard HP-UX patch bundles can be a less error-prone and more efficient
way to patch a system than acquiring and installing individual patches. For more information, see
Chapter 6: “What are standard HP-UX patch bundles?” (page 55).
Each patch bundle includes all patch dependencies for the successful installation of all patches
that apply to a system. Additionally, some patch bundles, such as HWEnable11i and FEATURE11i,
deliver patches for the successful installation of product bundles that include I/O driver products,
for example, USB-00. The selection of product bundles with patch dependencies will result in the
automatic selection of required patches from the applicable patch bundle. This automatic selection
of patch dependencies can simplify the management and installation of products or patches with
patch dependencies.
Patch bundles also make it easier for you to determine the current level of patches on a system.
For example, there could be hundreds of individual patches contained in an installed bundle, but
the swlist command lists, by default, only the bundle name rather than each individual patch
contained in the bundle.
For example, if you install March 2013 Quality Pack patch bundles on an HP-UX 11i v3 (B.11.31)
system, you get an output similar to the following:
QPKAPPS B.11.31.1303.391 Applications Patches for HP-UX 11i v3, March 2013
QPKBASE B.11.31.1303.391 Base Quality Pack Bundle for HP-UX 11i v3, March 2013
Patch-related concepts 19
For more information about listing the products on a system, see “Which patches are on a system?”
(page 23).
You might also find yourself working with patch bundles if you use the HPSC Patch Assessment
Tool, which allows you to create your own custom patch bundles. For more information, see
Chapter 11: “The Patch Assessment Tool” (page 92).
Patch status
Patches have an associated status. The initial value of a patch's status does not change, but over
the life of the patch, modifiers might be added (as described in this section). You can find the value
for a patch's status in the Status field. This field is in the patch’s patch details page on the HPSC
and in the patch text file. To obtain the most up-to-date values for patch status, use the patch details
page. A patch status has the following values and modifiers to describe it.
Initial values for patch status include the following:
• General Release (GR)
HP has approved GR patches for widespread use.
• Special Release (SR)
HP intends an SR patch for limited distribution. It is available only through special channels.
Modifiers for patch status values include the following:
• Superseded
Indicates that the patch has been replaced by a newer patch. For more information about
supersession, see “Ancestors and supersession” (page 27).
Results in the additional patch status values General Superseded and Special
Superseded.
• With Warnings
Indicates that the patch has an associated warning. For more information about warnings,
see “Patch warnings” (page 41).
Results in the additional patch status values General Release With Warnings and
Special Release With Warnings.
Most patches have a status of General Release or General Superseded.
IMPORTANT: For HP-UX 11.0 systems, you must install patch PHCO_22526 or a superseding
patch for proper functionality regarding the committed/superseded patch_state.
• Show the patch_state values for all patches on the local system by entering this command:
swlist -l fileset -a patch_state *,c=patch
For more information regarding the swlist command, see “Which patches are on a system?”
(page 23).
State
Filesets (patch and nonpatch) have an attribute called state that indicates the current installation
state of a fileset. During installation, software is transitioned through the following states:
transient, installed, and configured. During removal, software is transitioned through
these states: configured, installed, and transient.
An SD-UX operation leaves a fileset in one of the following states:
• installed
Software has been successfully installed but not yet configured.
• configured
Software has been successfully installed and configured. No further operations are required.
Patch-related concepts 21
• corrupt
SD-UX has encountered an unexpected condition during software installation checks.
• transient
When SD-UX moves software from one location to another, the software is in a transient state.
If an interruption occurs during the transfer, the state remains transient.
For more information about these states, see the Software Distributor Administration Guide on the
HP Business Support Center website at http://www.hp.com/go/sd-docs.
Use the following swlist command to view the state associated with patch patch_id:
swlist -l fileset -a state | grep patch_id
For more information about the swlist command,see “Which patches are on a system?” (page 23).
Category tags
Patches have categories, or category tags, associated with them to simplify the process of
determining the general purpose of a specific patch. A patch might have multiple categories
specified. This section provides a list of common patch categories. A patch always has the category
tag patch.
Although you can use category tags in conjunction with several SD-UX commands, including the
swinstall and swcopy commands, you should only use category tags with the swlist
command.
Because of the cumulative nature of patches, many category tags for a patch are inherited from
the patch's ancestors. Therefore, if patch A is created to deliver a critical fix, it will have a
critical tag, and all patches superseding it will also have a critical tag.
You can determine patch categories for a given patch in the following ways:
• Viewing the Category Tags field on the patch details page or inthe text file for the patch.
• Using the swlist command:
swlist -l product -a category_tag patch_id
This command also shows any category tags that have been manually added to the patch by a
user. For swlist examples that use category tags and for more information about the swlist
command, see “Which patches are on a system?” (page 23).
The following list provides a subset of patch-related categories:
• patch
This category tag is always present for patches because software objects with the is_patch
attribute set to true have the built-in, reserved category of patch. For more information
about attributes, see “Patch-related attributes” (page 31).
• hardware_enablement
A patch that provides support for new hardware.
• enhancement
A patch that provides an enhancement.
◦ A patch with restricted distribution, usually intended for installation by one specific customer
or set of customers.
◦ Information for special_release patches is not always available using the HPSC's
Patch Database or other official HP information sources. However, you might encounter
references to these patches when viewing information related to other patches.
◦ A patch cannot inherit this tag.
• critical
◦ A patch that repairs a critical problem. For more information, see “Critical and noncritical
patches” (page 38).
A patch that has a critical tag also has one or more of the following tags: panic,
halts_system, corruption, memory_leak.
• firmware
A patch that provides model-specific firmware updates.
• manual_dependencies
◦ A patch that contains one or more dependencies that are not enforced by SD-UX tools.
For more information, see “Patch dependencies” (page 33).
◦ A patch cannot inherit this tag.
NOTE: For brevity and improved readability, some lines of SD-UX command output have been
shortened or removed.
◦ Lists all software objects down to the specified level. The following is a partial list of
supported level values:
– depot: Lists software available from registered depots.
– bundle: Shows only bundles.
– product: Shows only products.
– patch: Shows all applied patches.
– fileset: Shows products and filesets.
– file: Shows products, filesets, files, and numbers (used in software licensing).
– category: Shows all categories of available patches for patches that have included
category objects in their definition.
• -a attribute
Specifies one or more attributes to display. For more information about attributes, see
“Patch-related attributes” (page 31).
• -s source
Specifies the software source to list. Use this argument as an alternative way to list a depot.
• software_selections
• -x option=value
◦ The default behavior of the swlist command is to show only the latest patches installed
on a system. It does not show patches that have been superseded. To list superseded
patches, set the show_superseded_patches option to true:
swlist -x show_superseded_patches=true
• @ target_selections
◦ Specifies the target of the command. You can specify the swlist command operate on
a system other than the local host or on a depot. For example, to specify the swlist
command operate on the system host1:
swlist @ host1
For a complete list of swlist arguments, consult the swlist(1M) manpage or the Software Distributor
Administration Guide on the HP Business Support Center website at http://www.hp.com/go/
sd-docs.
To filter the output to display only patches, use the -l argument in combination with a software
selection using the category tag patch:
swlist -l level *,c=category_tag
For example:
$ swlist -l product *,c=patch
# Initializing...
# Contacting target "some_system"...
#
# Target: some_system:/
PHCO_28848 1.0 Software Distributor Cumulative Patch
PHCO_29010 1.0 shar(1) patch
PHCO_29495 1.0 libc cumulative patch
PHSS_28677 1.0 CDE Applications Periodic Patch
...
The following command shows patches that have a manual_dependencies category tag:
swlist -l level *,c=category_tag
swlist -l depot Displays the registered depots located on the local system.
swlist -l depot @ some_host Displays the registered depots located on the system
some_host.
swlist -d -l product @ Alternates commands that list the products stored in the
\some_host:/some_directory/some_depot software depot /some_directory/some_depot on the
swlist -l product -s system some_host.
\some_host:/some_directory/some_depot
swlist -d -l category @ Lists all category tags associated with the contents of the
\some_host:/some_directory/some_depot depot /some_directory/some_depot on the system
some_host.
swlist -a readme -l product patch_id Displays the readme documentation for patch patch_id.
swlist -a readme -l product *,c=critical Displays the readme documentation for all patches installed
on the local system which contain critical functionality.
swlist -l product -a category_tag patch_id Lists the category tags for patch patch_id.
swlist -l product -a category_tag Lists the patches installed on the local system and their
\*,c=patch corresponding category tags.
Ancestors
The ancestor of a patch is the original software product that a patch modifies. Ancestry is defined
only at the fileset level. Each patch fileset has only one ancestor fileset that composes the base
software that a patch modifies. However, there might be one or more versions of this ancestor
fileset. The patch fileset has the same extension as its ancestor. For example, fileset Xserver.AGRM
is the ancestor of patch fileset PHSS_29183.AGRM. You can see an additional example in
“Advanced topic: determining patch ancestors” (page 27).
Ancestry impacts both patch installation and patch removal. A patch fileset cannot be installed on
a system unless its ancestor fileset software either is already installed or is being installed during
the same operation. Similarly, when an ancestor fileset is removed, all the patches that have been
applied to it are also removed.
# PHSS_29183
PHSS_29183.AGRM Xserver.AGRM,fr=B.11.11,v=HP
PHSS_29183.DDX-ADVANCED Xserver.DDX-ADVANCED,fr=B.11.11,v=HP
PHSS_29183.DDX-ENTRY Xserver.DDX-ENTRY,fr=B.11.11,v=HP
PHSS_29183.DDX-LOAD Xserver.DDX-LOAD,fr=B.11.11,v=HP
PHSS_29183.DDX-SAM Xserver.DDX-SAM,fr=B.11.11,v=HP
PHSS_29183.DDX-SLS Xserver.DDX-SLS,fr=B.11.11,v=HP
PHSS_29183.DDX-UTILS Xserver.DDX-UTILS,fr=B.11.11,v=HP
PHSS_29183.X11-SERV Xserver.X11-SERV,fr=B.11.11,v=HP
PHSS_29183.X11-SERV-MAN Xserver.X11-SERV-MAN,fr=B.11.11,v=HP
PHSS_29183.XEXT-DBE Xserver.XEXT-DBE,fr=B.11.11,v=HP
PHSS_29183.XEXT-DBE-MAN Xserver.XEXT-DBE-MAN,fr=B.11.11,v=HP
PHSS_29183.XEXT-DPMS Xserver.XEXT-DPMS,fr=B.11.11,v=HP
PHSS_29183.XEXT-DPMS-MAN Xserver.XEXT-DPMS-MAN,fr=B.11.11,v=HP
PHSS_29183.XEXT-HPCR Xserver.XEXT-HPCR,fr=B.11.11,v=HP
PHSS_29183.XEXT-HPCR-MAN Xserver.XEXT-HPCR-MAN,fr=B.11.11,v=HP
PHSS_29183.XEXT-MBX Xserver.XEXT-MBX,fr=B.11.11,v=HP
PHSS_29183.XEXT-RECORD Xserver.XEXT-RECORD,fr=B.11.11,v=HP
Patch filesets that have been applied to an ancestor fileset are listed in the ancestor's
applied_patches attribute. Enter the following command:
swlist -a applied_patches fileset_name
For example:
$ swlist -a applied_patches Xserver.AGRM
# Initializing...
# Contacting target "chb26006"...
# Target: chb26006:/
Xserver.Runtime.AGRM
PHSS_21817.AGRM,fa=HP-UX_B.11.11_32/64
Supersession
Supersession is the process of replacing an earlier patch with a new patch. A new patch supersedes
all previous patches for its particular patch chain. Upon installation of the new (superseding) patch,
its files replace files of the patches being superseded. Patches for HP-UX products are always
cumulative. Each new patch contains all aspects of all its preceding patches.
A series of patches form a supersession chain. A supersession chain includes the following:
• The nonpatch software product being patched.
• Each patch that fixes the nonpatch software product.
• Each patch that fixes the patches.
Figure 1 shows a simple, hypothetical supersession chain in which a product has been superseded
by PHXX_31937, which in turn has been superseded by PHXX_32384, which has been superseded
by PHXX_43826. In general, patch numbers increase along a patch supersession chain.
The cumulative nature of a patch allows it to satisfy all dependencies on all patches it supersedes.
The converse is not true, however. A superseded patch will not satisfy a dependency on a
superseding patch. For more information about dependencies, see “Patch dependencies” (page 33).
You can determine which patches a given patch supersedes by viewing either the patch's patch
details page or the patch's patch text file. See the Supersedes field for more information.
# PHSS_27875
PHSS_27875.X11-JPN-S-MSG PHSS_28681.X11-JPN-S-MSG,fa=HP-UX_B.11.11_32/64
PHSS_27875.X11-RUN-CL PHSS_28681.X11-RUN-CL,fa=HP-UX_B.11.11_32/64
PHSS_27875.X11-TCH-B-MSG PHSS_28681.X11-TCH-B-MSG,fa=HP-UX_B.11.11_32/64
You can also show the filesets that a given patch has superseded. These superseded filesets will
be listed whether or not they are installed on a system. This is done by using the swlist command
to list the supersedes attribute of the patch. Note that the first patch of any particular patch
supersession chain does not have a supersedes attribute. In the following example, patch
PHSS_28681 is shown to supersede patches PHSS_27875, PHSS_26498, and PHSS_25201.
(The output has been reformatted to improve readability.)
swlist -l level -a attributepatch_id
For example:
$ swlist -l fileset -a supersedes PHSS_28681
# Initializing...
# Contacting target "some_system"...
#
# Target: some_system:/
#
# PHSS_28681
PHSS_28681.X11-JPN-S-MSG
PHSS_27875.X11-JPN-S-MSG,fr=*
PHSS_26498.X11-JPN-S-MSG,fr=*
PHSS_28681.X11-RUN-CL
PHSS_27875.X11-RUN-CL,fr=*
PHSS_26498.X11-RUN-CL,fr=*
PHSS_25201.X11-RUN-CL,fr=*
PHSS_28681.X11-TCH-B-MSG
PHSS_27875.X11-TCH-B-MSG,fr=*
PHSS_26498.X11-TCH-B-MSG,fr=*
The supersession chain in Figure 2: “HP-UX Patch Supersession Chain” (page 31) is composed of
two separate supersession chains that were combined when patch PHSS_29156 superseded both
PHSS_29026 and PHSS_29008. Again, because of the cumulative nature of HP-UX patches,
patch PHSS_29377 delivers all the features and fixes delivered by the other six patches in this
supersession chain.
Patch-related attributes
Each of the SD-UX objects described in “HP-UX software structure” (page 18) has a set of properties
known as attributes that provide information about the object's characteristics. For patches, these
attributes control aspects of patch behavior and define patch properties and relationships. (See
“State” (page 21) and “Patch state” (page 21).)
For information about how you can use attributes with the swlist command, see “Which patches
are on a system?” (page 23).
Patch-related attributes 31
The following list describes a subset of available attributes:
• ancestor
◦ Applies to filesets.
◦ Identifies the fileset that must be on the system for the patch to be installable.
• category_tag
◦ Provides a label for a fileset or product. Several tags are defined during patch creation;
users can create others with the swmodify command.
◦ See “Category tags” (page 22).
• is_patch
• is_reboot
◦ Applies to filesets.
◦ When set to true, is_reboot indicates that installation of the fileset will cause the
system to reboot.
• patch_state
• readme
◦ Applies to products.
• software_spec
◦ Contains the fully qualified identifier for the bundle, product, or fileset. Uniquely identifies
a specific instance of a software object.
• state
◦ Applies to filesets.
• superseded_by
◦ Records the software specification of the fileset that superseded the fileset on a given
system. This attribute is set only for installed patch filesets, and never in software depots.
◦ See “Ancestors and supersession” (page 27).
You can show these attributes with the swlist command using the -a attribute argument,
replacing attribute with one of the previously listed attributes. For more information about the
swlist command, see “Which patches are on a system?” (page 23).
Patch dependencies
A patch that depends on other software in order to install or run correctly is said to have a
dependency on that other software. In order to become fully active, a patch might require changes
to areas of the system other than those it modifies. Such a patch might have a documented
dependency on one or more patches or nonpatch software products that are responsible for the
changes in these other areas.
For example, in Figure 3: “Patch Supersession Chains and Patch Dependencies” (page 33),
PHXX_31967 and PHXX_31937 depend on each other (mutual dependency). At a later time,
PHXX_32384 supersedes PHXX_31937, and PHXX_31967 can be successfully installed with
either patch. (PHXX_32384, as a cumulative patch, will satisfy the entire dependency.)
However, a superseded (older) patch does not satisfy a dependency on a superseding (newer)
patch. Figure 3: “Patch Supersession Chains and Patch Dependencies” (page 33) provides an
example. PHXX_33662 supersedes PHXX_31967, but PHXX_33662 has an updated dependency
on the superseding patch PHXX_32384. In this case, the older patch (PHXX_31937) doesn't satisfy
the new dependency
For more information about supersession, see “Ancestors and supersession” (page 27).
Patch dependencies 33
Types of dependencies
HP provides patch dependency information for a patch in its patch details page and its patch text
file. The dependency information is contained in the following fields:
• Patch Dependencies
Patches that are required for proper operation.
• Other Dependencies
Various dependencies that cannot be described as patch dependencies, such as those that
are needed only under specific circumstances.
NOTE: While looking at a patch details page or a patch text file, you might notice an additional
field that is dependency related. The Hardware Dependencies field represents a different type of
dependency than those presented in this section. It does not show dependencies on other patches,
but rather gives specific system models to which a patch is limited.
Advanced topic: determining corequisite and prerequisite filesets with the swlist command
You can use the following command to determine the dependent filesets. Replace
dependency_type with either corequisite or prerequisite, as appropriate.
swlist -vl fileset -a dependency_type
fileset
For example:
$ swlist -vl fileset -a corequisite PHSS_29964.DCEC-ENG-A-MAN
# Initializing...
# Contacting target "some_system"...
# PHSS_29964.DCEC-ENG-A-MAN
fileset
corequisites PHCO_24400.CORE-SHLIBS,fa=HP-UX_B.11.11_32/64
NOTE: If you download patches from sources other than the HPSC, you are completely responsible
for identifying and downloading the patches required to satisfy all dependencies.
Standard HP-UX patch bundles, such as the Quality Pack, do not require users to perform any
dependency analysis. All patches required to satisfy all dependencies are included in the bundles.
Using standard HP-UX patch bundles increases confidence that you have obtained and installed
all necessary patches to satisfy all dependencies.
HP patch rating of 1
Although these patches have passed rigorous prerelease testing, HP recommends that you use
these patches only if all of the following conditions are true:
• If you are in a reactive patching situation.
• The highest-rated patch that addresses the problem is rated 1.
• You cannot wait for the patch to increase to a higher rating.
Whenever possible, you should wait until the patch gains more exposure and achieves a rating
of 2 or 3. For more information on reactive and proactive patching, see Chapter 5: “Patch
management overview” (page 45).
Rating details
The following list provides more details about patch ratings of 1:
• Upon release, patches are assigned a rating of 1.
• These patches have successfully completed internal testing by HP.
• Because they are new, these patches have an inherent level of risk associated with them that
you might find unacceptable. However, they are made available in case you are willing to
accept the increased risk because the patch resolves a specific issue on a system.
• If you choose to use one of these patches, you should evaluate and test it carefully prior to
deployment on a system.
HP patch rating of 2
HP recommends that you use patches rated 2 for both proactive and reactive patching and when
a patch rated 3 is not available.
Patches rated 1 might be upgraded to a rating of 2 on any given day (based on the amount of
customer exposure). Therefore, if you chose to defer patch installation to wait for a patch rating
to be upgraded to a rating of 2, you can check for this upgrade on a daily basis.
HP patch rating of 3
Rating 3 is the highest rating HP assigns to a patch. These patches represent the lowest level of
risk. HP recommends you use patches rated 3 whenever possible for both proactive and reactive
patching.
If you are waiting for a specific patch to reach a rating of 3, check the patch quarterly to determine
whether it has been promoted from a rating of 2 to a rating of 3.
Rating details
The following list provides more details on patch ratings of 3:
• These patches have passed more levels of testing than patches rated 1 or 2.
• These patches might appear in the recommended column of the HPSC's Patch Database patch
search results page (provided they have no associated patch warnings).
Patch documentation
All patches have a patch details page, a patch text file, and readme information. The patch details
page should be your first choice for obtaining information because it contains the most up-to-date
information available. This is not always true for the patch text file or the patch readme.
You can find the documentation at the following resources:
• See Chapter 7: “Using the HP Support Center” (page 58). For the patch details page, go to
the HPSC website at http://www.hp.com/go/hpsc.
• The patch text file will be in the downloaded file after you download a patch from the HPSC.
See Chapter 7: “Using the HP Support Center” (page 58).
• The patch readme will be on the system after you install the patch.
The patch details page and the patch text file contain the same fields and provide detailed
information about a patch. Table 4: “Subset of fields in patch text file and patch details page ”
(page 39) shows a subset of these fields.
Table 4 Subset of fields in patch text file and patch details page
Field Description
Patch Name The patch ID. See “Patch identification” (page 18) for more information about
the format of patch IDs.
Post Date The date the patch was released for general distribution.
Warning If the patch has an associated warning, this field shows the date the warning
was issued and provides information about the warning. This field is present
only if the patch has an associated warning. For more information, see “Patch
warnings” (page 41).
Hardware Platforms - OS Releases The hardware platforms and HP-UX OS releases where you can install the
patch.
Automatic Reboot? This is set to Y if the installation of this patch requires a reboot.
Status The support status of the patch. For more information, see “Patch status”
(page 20).
Category Tags A listing of the categories associated with this patch. For more information, see
“Category tags” (page 22).
Patch Dependencies All patches that this patch depends upon for proper operation. You must install
the listed patches if you are installing this patch. For more information, see
“Patch dependencies” (page 33).
Hardware Dependencies The specific system models to which this patch is applicable.
Other Dependencies The various dependencies that cannot be described in a simple manner. For
example, dependencies that are needed only under specific circumstances will
be listed here. For more information, see “Patch dependencies” (page 33).
Supersedes A list of all patches replaced, or superseded, by this patch. For more
information, see “Ancestors and supersession” (page 27).
Special Installation Instructions Any special instructions not included in those mentioned previously. This field
occasionally includes dependency information.
Patch Family Tree The patch family tree browser shows the lineage for a specified patch. The root
of the tree (the top-most patch) is the latest patch in the patch chain. Its
predecessors are shown beneath it, indented to the right with an arrow symbol
pointing to the succeeding patch. Patches at the same indentation level that
point to the same patch have the same successor.
Patch warnings
A patch warning is a notification that a patch causes or exposes adverse behavior. Patch warnings
provide specific information about this incorrect behavior, as well as other important details and
recommendations. This information helps you to make decisions about the patch, such as whether
to install or remove a patch with a warning from the system.
Patch warnings 41
The Warning field contains the following information:
• The issue date of any warnings (year/month/day format)
• Whether the patch warning is critical or noncritical (see “Critical and noncritical warnings”
(page 42))
• A description of the problem
• A suggested course of action for the problem might be provided
• A reference to a replacement patch might be provided
See “Finding information for a specific patch” (page 39) for a description of how you can access
a patch details page and a patch text file.
◦ The HP-UX Software Assistant (SWA) Tool can help you identify security patches
applicable to systems, as well as patches with warnings. For more information, see
Chapter 9: “Using HP-UX Software Assistant for patch management” (page 89).
◦ If you download patches using the HP Support Center (HPSC), you will be sent an
email notification if a warning is issued against any patch you downloaded. For
more information, see Chapter 7: “Using the HP Support Center” (page 58).
• Determine whether the patches chosen for installation require additional patches or other
software to satisfy dependencies. The HPSC Patch Database can help you with this task.
◦ When are your maintenance windows? What length of time are they?
◦ In the event of patches causing negative side effects, what steps will you take to back
out changes, and how long will it take to execute these steps?
◦ To significantly reduce downtime, and to take advantage of the ability to easily
switch back to your original image if the applied patches cause any negative side
effects, consider using Dynamic Root Disk (DRD). With DRD, you create a copy of
the root disk (or clone) that you can apply patches to, while your system is still up
and running. Once all the patches are loaded on the clone, you can then reboot the
system, using the clone as your active root volume. If for any reason you decide that
the patched root volume does not perform as you desire, you can quickly reboot the
original system image. For more information, please see Chapter 10 (page 90).
• Installing patches.
◦ Verify patches.
Verify that the patches installed correctly and that the patch had the desired effect.
• If you have opted to use DRD to reduce your downtime, you will need to create a clone
and apply the patches to the clone, then boot the clone once all changes have been
implemented. For more information, please see Chapter 10 (page 90).
4. Tracking the patch levels of the systems. (Patch level refers to the set of active patches on the
system.)
• Patch level is important when determining which patches are needed on each system.
• You need to know the patch levels of the systems when interpreting patch testing results.
• If you need to open a support call, you might be asked for the current patch level to aid
in troubleshooting.
HP service contracts
If you would like assistance with your patch management work, you can purchase a Mission Critical
level HP service contract. This entitles you to a proactive service called patch analysis. In patch
analysis, an HP support engineer furnishes you with a custom list of recommended patches. At the
Mission Critical (highest) contract level, your assigned HP engineer even helps you define a patch
management strategy based on the software change management principles defined in this chapter.
For more information, visit the HP Software Support Services website at http://www.hp.com/hps/
software.
The process of selecting an appropriate software change management strategy seeks to align
behavior with the key business objectives of the systems involved. The goals of evaluating an
operation and choosing an appropriate strategy include:
• Reduced risk
• Increased system and application availability
• Reduced maintenance time
There are four operational factors that should determine your appropriate strategy:
• New features
Do you need to introduce new operating system or application features into the operating
environment?
• Unplanned down time
What is your tolerance for the operation being unavailable outside the scheduled maintenance
windows?
• Impact on core business
How are business functions affected by down time?
• Self-maintenance
This is an indication of whether or not all system planning and maintenance activities are
performed inhouse without vendor or third-party involvement.
Restrictive Stable release, Use only Make fewest Formal plan with Dedicated
available for one thoroughly tested changes possible explicit roles andequipment that
year or more. patches with the to restore responsibilities. matches
highest level of function. Prepared plan to production
exposure. Perform full back out changes, environment,
diagnostic if necessary. including
analysis before simulated loads.
Documented
attempting a disaster recovery
solution. plan that is
updated and
tested at least
yearly.
Conservative Stable release, Use only Make fewest Formal plan with Dedicated
available for six thoroughly tested changes possible explicit roles andequipment that
months or more. patches with to restore responsibilities. matches
substantial function. Prepared plan to production
exposure. Perform full back out changes, environment.
diagnostic if necessary.
analysis before
attempting a
solution.
NOTE: For HP-UX 11i v1 (B.11.11) releases, HP delivers standard HP-UX patch bundles and
diagnostic tools on Support Plus media and the HPSC.
For the HP-UX 11i v2 (B.11.23) releases, HP delivers standard HP-UX patch bundles on Support
Pack media and the HPSC.
For HP-UX 11i v3 (B.11.31) releases, HP delivers standard HP-UX patch bundles on OE media
and the HPSC.
See Table 8: “Standard HP-UX patch bundle use and release dates” (page 56) for more information.
NOTE: When installing the standard patch bundles from the OE media, do not use the SD option
reinstall=true. Doing so might cause superseding patches to be overwritten and might also
result in a system hang while booting. To install a standard patch bundle from the OE media, use
the swcopy command to create a separate depot for the specific patch bundle.
Key features
Standard HP-UX patch bundles can be a very useful part of a proactive patch management strategy
for the following reasons:
• The bundles save you time during patching and reduce the risk of errors.
• HP tests all patches in the bundle as a group.
• The bundles provide an easy way to standardize the level of patches on systems.
• The bundles provide a solution commonly used by other customers.
• HP performs all dependency analysis to ensure standard HP-UX patch bundles contain all
patches necessary to meet dependencies.
• Unlike installing multiple patches individually, which might require a reboot for each patch,
installation of a bundle never requires more than one system reboot.
• You can use bundles to create standard patch depots for easy deployment to multiple systems.
• The bundles provide a convenient way to track patches on a system.
• HPSC provides support for standard HP-UX patch bundles.
Key features 55
Table 7 Standard HP-UX patch bundle names (continued)
Patch Bundle Name HP-UX 11i v1 (B.11.11) HP-UX 11i v2 (B.11.23) HP-UX 11i v3 (B.11.31)
NOTE: Standard HP-UX patch bundles are cumulative, which means that you can install the latest
version of the bundle to get all the previous changes.
The standard HP-UX patch bundles (QPK, FEATURE11i, and HWE) might have overlapping content.
This does not affect your patching.
For the HP-UX 11i releases, Table 8 (page 56) shows when to use the bundles and also shows the
release information.
Table 8 Standard HP-UX patch bundle use and release dates
Patch Bundle Description When to Use Update Schedule
Quality Pack (QPK) For HP-UX 11i v1 (B.11.11), • To configure a new HP-UX 11i v1, v2, and v3:
HP-UX 11i v2 (B.11.23), system. As needed
and HP-UX 11i v3 (B.11.31) The v2 QPK bundle will have
the QPK is delivered as two • To obtain defect fixes. a final update December
bundles: • Use as available for 2010.
proactive patching.
• Base Quality Pack patch
bundle has the same
purpose as the
single-bundle QPK.
• Applications Quality
Pack patch bundle has all
stable, defect-fix patches
for the OE applications.
Hardware Enablement HWE provides the minimal • To get a new system. HP-UX 11i v1, v2, and v3:
(HWE) set of patches for supporting As needed
new and legacy hardware • To add new hardware to
using HP-UX. the system.
Required Patch Bundle The HP-UX 11i v1 Required Installed automatically with HP-UX 11i v1 and v2: As
(BUNDLE11i) Patch Bundle consists of the appropriate core needed
patches for HP-UX 11i v1, software. HP-UX 11i v3: N/A
which are required to install
and update the operating
system.
Feature Enablement Patch FEATURE11i provides the To enable the use of new HP-UX 11i v2 and v3: As
Bundle (FEATURE11i) minimal set of patches for HP-UX features or needed.
supporting new HP-UX enhancements.
software features and
enhancements.
TIP: Acquiring and installing standard HP-UX patch bundles is a two-step process. See Chapter 3:
“Quick start guide for patching HP-UX systems” (page 10).
• patching
• downloads/licensing
• notifications
NOTE: This section only addresses finding individual patches, not finding firmware.
Key features
With the patch database, you can search for patches using a variety of criteria. Once the search
returns the results, you can obtain information, including the following:
• Patch rating
• Patch that HP recommends, if any
• Most recent patch
• Patch warning, if any
• Supersession by another patch
• Supersession of other patches
• A patch details page containing comprehensive information about each patch returned
See Table 9: “Navigating the search results table” (page 60) for descriptions of the search results.
Table 9 (page 60) shows how to interpret the information in the search results table.
specified If you search for a specific patch it is displayed in the specified column,
which is only shown when a search is done for a specific patch ID.
most recent Shows the latest patch without a warning in the supersession chain.
(hp rating) Indicates the quality rating assigned to a patch. Three stars is the highest
rating assigned to any patch. The higher the rating, the lower the risk of
side effects and the more suitable the patch is for mission-critical
environments.
Patch Row The patches shown in a row are the same or are related by supersession.
Patch ID Link Access the patch details page associated with a patch by selecting the
patch ID. This page contains extensive information about the patch.
notes: Provides additional information about icons and information returned with
patches.
Table Icons Icons are displayed along with the patches to provide additional information.
critical fix
reboot required
not available
enhancements only
special instructions
hardware enablement
5. You can download one patch of your choice from each row of patches returned by the search.
• Select the checkbox next to the patch ID link.
• Click the add to selected patch list button.
6. You should view the special installation instructions and check for dependencies
for each patch you want to download by selecting the patch ID link.
• See “Advanced topic: checking for special installation instructions” (page 61).
• See “Advanced topic: checking for all patch dependencies” (page 62).
For example, in the previously shown screen, if you selected PHKL_28766 and then add to
selected patch list, you would see the selected patch list table as shown below.
TIP: You can use the show_patches –it command directed at a source depot to list Special
Installation Instructions documented within any patches in the depot. For more information, see
show_patches(1).
The show patches command is available on 11i v3 systems, and is available as a patch in
preceding HP-UX versions:
• PHCO_32220 for 11i v2
• PHCO_27780 for 11i v1
2. Read the other dependencies and special installation instructions sections of the patch details
page. The other dependencies section, and occasionally the special installation instructions
section, might list additional patches or products that are needed to obtain full functionality
of the patch selected.
If additional patches are listed, determine whether any are needed for your specific situation.
If so, note the patch IDs for use in step 3.
TIP: HP-UX Software Assistant (SWA) was released in January, 2007 as a software upgrade to
the Patch Assessment Tool. For more information, see Chapter 9: “Using HP-UX Software Assistant
for patch management” (page 89).
Key features
Digest subscriptions allow you to do the following:
• Stay up to date with the latest support information from HP via email.
• Select your areas of interest and receive the appropriate digests from HP.
To access the Subscriber's choice page:
1. Log in to the HPSC at http://www.hp.com/go/hpsc.
2. Select Patch database.
3. On the right navigation under useful links, select subscribe to patch digests.
check_patches Check for installation problems and issues related to patches. Options allow
you to check for patches missing the SD-UX patch attributes, missing patch
filesets, patch object modules missing from archive libraries, patch filesets with
the incorrect patch_state, patch filesets not in the configured state, and
patch filesets that fail swverify.
This command is available on 11i v3 systems, and is available as a patch in
preceding HP-UX versions:
• PHCO_27780: 11.11 HP-UX Patch Tools
• PHCO_32220: 11.23 HP-UX Patch Tools
See check_patches(1M) for more information.
cleanup Allows you to commit all patches that have been superseded a specified number
of times. You can execute this command in preview mode to see what effect
the command will have without making any changes.
show_patches List patches installed on a system or in a depot. Options allow you to list patches
that are active, superseded, require Special Installation Instructions, or have
any Other Dependencies.
This command is available on 11i v3 systems, and is available as a patch in
preceding HP-UX versions:
• PHCO_27780: 11.11 HP-UX Patch Tools
• PHCO_32220: 11.23 HP-UX Patch Tools
See show_patches(1) for more information.
swcopy Copies software from a software source to a depot or from one depot to another.
Can add products to an existing depot, replace products already on a depot,
or create a new depot.
swlist Use to list software elements, their attributes, and their organization. It lists both
installed software and software contained within a depot.
swmodify Use to change information in the installed products database or depot catalog
files.
swremove Use to remove previously installed software or remove packaged software from
a depot.
swverify Use to verify installed software or depot software for correctness and
completeness.
sysdiff Compares SD-UX packaged software and active patches between two systems.
This command is available on 11i v3 systems and is available as a patch for
11i v2:
• PHCO_32220: 11.23 HP-UX Patch Tools
See sysdiff(1) for more information.
Depot types
There are two types of SD-UX software depots:
• Directory depots
• Tape depots
Both are commonly used and provide the same basic functionality. However, each has its own
advantages for you to consider. This chapter focuses on using directory depots for patch
management. Less emphasis is placed on the use of tape depots.
Directory depots
Directory depots, also known as network depots, are more practical than tape depots for patch
management tasks. Directory depots exist as a directory structure, and the name of the depot's
root directory is the name of the depot.
Tape depots
Tape depots, also known as serial access depots, are primarily used for software transfer. Tape
depots are completely contained within a single file, which is formatted as a tape archive (tar),
and are accessed in a serial manner. Within the archive, directory and file entries are organized
using the same structure as that used for directory depots. Tape depots have the default file extension
.depot. Although you are not required to use this extension, it can help you to easily distinguish
tape depots from other files.
If you download patches or patch bundles from HP, you receive tape depots. These depots might
be contained in another file, such as a tar file or a shell archive (shar) file. Although the tape
depot format was designed to support software delivery on tape, tape depots are not limited to
tape media. You can locate them anywhere a directory depot can be located.
Using depots
As you start identifying uses for depots in your patch management process, you should consider
the intended purpose and use model for each potential depot. There are many appropriate patch
management uses for depots, including the following:
• Periodic patch depot — contains patches that define the current recommended patch level.
These are patches that you have tested as a group on the target configuration. You will generate
periodic patch depots on a regular basis. Here are some possible generation time frames:
◦ Semiyearly or yearly, to coincide with the release of specific-standard HP-UX patch
bundles, such as Quality Pack (QPK) or Hardware Enablement (HWE).
◦ Monthly, to allow more timely inclusion of critical fixes and security patches.
◦ Regularly in advance of scheduled system down time to take advantage of the opportunity
to install new patches.
Many users find it unacceptable to modify the contents of a periodic patch depot after it
has undergone analysis and testing. In this case, you can create a critical patch depot
to supplement a periodic patch depot.
• Critical patch depot — contains critical fix or security-related patches that were not available
when you created the latest periodic patch depot. Use this depot to update any systems that
Using depots 69
encounter known failures and to bring systems up to the latest level of security patches. You
can use this depot as the starting point for the next version of the periodic patch depot.
• Application depot — contains patches specific to a given application. This type of depot might
actually be a specific version of a periodic patch depot.
After you have identified the need that a specific depot will address, you should determine whether
a directory depot or a tape directory best suits your needs. Most often, directory depots will be
more useful for patch management. You must also select a location for the depot.
Viewing depots
Use the swlist command to list the registered directory or tape depots on a local or remote
system. You can also use the swlist command to view the contents of a directory or tape depot.
This section provides examples of how to use the swlist command to view depots.
Viewing depots 71
For more information about the swlist command, see the Software Distributor Administration
Guide on the HP Business Support Center website at http://www.hp.com/go/sd-docs.
◦ Executes in preview mode when given the optional -p command line argument.
◦ Does not perform the software copy. It shows what the output from executing the command
will be.
◦ Results in the creation of the root directory for the depot as well as a catalog directory
and a swagent.log file. The log file contains useful information, including disk space
analysis. The command output includes instructions for viewing the information in the log
file. These instructions are similar to the following:
NOTE: More information may be found in the agent
logfile using the command
"swjob -a log target_system-1234 \
@ target_system:/some_directory/target_depot".
• -s [source_system:]/directory_path/source_depot
◦ Specifies the tape or directory depot from which patches will be copied.
◦ Include the name of the source_system to specify a system other than the local one.
◦ Use the appropriate path and depot name of the depot on the media to copy from a
depot located on media, such as CD or DVD.
• @ [target_system:]/directory_path/target_depot
◦ Specifies the depot directory into which the selected patches will be copied.
◦ Include the name of the target_system to specify a system other than the local one.
◦ If this target does not exist and you execute the swcopy command as a user with
appropriate permissions, the target is created. If you do not have the required permissions,
the command generates an error message that provides information about actions you
can take to resolve the problem.
NOTE:
• Registered depots on a network server are both visible and accessible to remote systems.
These depots can be used as a software source for remote systems.
• Unregistered depots on a network server are neither visible nor accessible to remote systems.
These depots cannot be used as a software source for remote systems.
Depots can be registered or unregistered in the following ways:
• The swreg command explicitly registers or unregisters depots.
• The swcopy command automatically registers newly created depots.
• The swremove command automatically unregisters a depot after removing all the software
contained in the depot.
If you have a depot that you want other users to access, you must register it. You should only do
this if you intend the depot to be used as a software source for remote systems.
Depot registration is not required for access from the local host. Registration also is not required
for using the swlist command remotely to view depot contents. For additional details about the
swreg command, see the swreg(1M) manpage and the Software Distributor Administration Guide
on the HP Business Support Center website at http://www.hp.com/go/sd-docs.
* Beginning Selection
* Targets: some_system
* Objects: /house/bundles/130325/ultra/11.31/depot
* Selection succeeded.
======= 03/26/13 13:33:11 IST END swreg SESSION (non-interactive)
To unregister a depot, use this command:
swreg -u -l depot directory_path_to_depot
For example:
$ swreg -u -l depot /house/bundles/130325/ultra/11.31/depot
======= 03/26/13 13:33:37 IST BEGIN swreg SESSION (non-interactive)
* Session started for user "root@some_system".
* Beginning Selection
* Targets: some_system
* Objects: /house/bundles/130325/ultra/11.31/depot
• @ depot_location
Specifies the directory depot that contains the software to be verified.
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swverify.last".
* The analysis phase succeeded for
"my_system:/my_depots/new_directory_depot".
* Verification succeeded.
NOTE: More information may be found in the agent logfile using the command
"swjob -a log my_system-0831 @ my_system:/my_depots/new_directory_depot".
======= 05/03/04 12:28:51 MDT END swverify SESSION (non-interactive)
(jobid=my_system-0831)
The following example verifies the directory depot /my_depots/PHSS_30278_depot/. This
depot contains one patch, PHSS_30278. This patch is dependent on patch PHSS_29657, which
is not included in the depot. Because of this, the verification failed. The command output indicates
how you can obtain more information about the failure. In this case, if patch PHSS_29657 is
already installed on the target system, you can use depot PHSS_30278_depot for installation of
patch PHSS_30278, even though the depot failed verification.
For example:
$ swverify -d \* @ /my_depots/PHSS_30278_depot
======= 05/03/04 13:04:00 MDT BEGIN swverify SESSION
(non-interactive) (jobid=my_system-0841)
* Software selections:
PHSS_30278.F90-JPN-E-MAN,r=1.0,a=HP-UX_B.11.23_IA/PA,
v=HP,fr=1.0, fa=HP-UX_B.11.23_IA/PA
PHSS_30278.F90-JPN-S-MAN,r=1.0,a=HP-UX_B.11.23_IA/PA,
v=HP,fr=1.0, fa=HP-UX_B.11.23_IA/PA
PHSS_30278.F90-RELNOTES,r=1.0,a=HP-UX_B.11.23_IA/PA,
v=HP,fr=1.0, fa=HP-UX_B.11.23_IA
PHSS_30278.FORT90-MAN,r=1.0,a=HP-UX_B.11.23_IA/PA,
v=HP,fr=1.0, fa=HP-UX_B.11.23_IA/PA
PHSS_30278.FORT90-PRG,r=1.0,a=HP-UX_B.11.23_IA/PA,
v=HP,fr=1.0, fa=HP-UX_B.11.23_IA
* Selection succeeded.
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swverify.last".
◦ Replace with a wildcard to remove multiple patches with one command. For example:
• @ [target_system:]/some_directory/target_depot
◦ Include target_system if you want to specify a system other than the local one.
◦ Use to specify the directory depot from which the selected patches will be removed.
The success or failure of the command is indicated in the output, which also details how to get
more information.
It is good practice to unregister a depot that has been made available for remote use prior to
modifying the depot. When you have completed depot modifications, reregister the depot to make
it available again.
The following example shows how to remove patch PHCO_27780 from directory depot
/my_depots/new_directory_depot on the system named my_system:
For example:
$ swremove -d PHCO_27780 @ my_system:/my_depots/new_directory_depot
======= 05/03/04 13:25:01 MDT BEGIN swremove SESSION
(non-interactive) (jobid=my_system-0843)
* Beginning Selection
* Target connection succeeded for
"my_system:/my_depots/new_directory_depot".
* Software selections:
PHCO_27780.CMDS-AUX,r=1.0,a=HP-UX_B.11.11_32/64,
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swremove.last".
* The analysis phase succeeded for
"my_system:/my_depots/new_directory_depot".
* Analysis succeeded.
* Beginning Execution
* The execution phase succeeded for
"my_system:/my_depots/new_directory_depot".
* Execution succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log my_system-0843 @
my_system:/my_depots/new_directory_depot".
======= 05/03/04 13:25:02 MDT END swremove SESSION (non-interactive)
(jobid=my_system-0843)
• Use the cleanup command in preview mode to see what changes will occur. The command
output shows that patch PHCO_24630 will be removed because the cleanup command
• Use the swlist command to show the contents of depot /my_depots/patch_depot. The
depot now contains only one patch: PHCO_27780
$ swlist -l product @ /my_depots/patch_depot
# Initializing...
# Contacting target "my_system"...
#
# Target: my_system:/my_depots/patch_depot
#
PHCO_27780 1.0 HP-UX Patch Tools
* Beginning Selection
* Targets: my_system
* Objects: /my_depots/PHCO_27780_depot
* Selection succeeded.
======= 08/06/04 14:10:36 MDT END swreg SESSION
(non-interactive)
2. Remove the depot's root directory and contents:
$ rm -r /my_depots/PHCO_27780_depot/
• -ssource_system:/some_directory/source_depot
Specifies the tape or directory depot from which patches will be installed. For a tape depot,
this must refer to a local depot.
To install from a depot located on media, such as CD or DVD, use the appropriate path and
depot name of the depot on the media.
• -x autoreboot=true
Reboots the system when required.
• @ target_selections
Specifies the system on which the specified software is to be installed. Use this optional
argument if the target system is not the local system.
CAUTION: Before you install any patches, you should back up your system.
On the previous page, the swinstall command with the arguments includes the
autoreboot=true argument. If the Automatic Reboot field of a patch's patch details page or in
the patch text file is set to true when you use the swinstall command to install patches then
the target system will automatically reboot.
A brief warning is given just prior to system reboot, but the system goes down immediately after
the warning is issued. Therefore, it is very important that, prior to installing any patches that require
a system reboot, you follow your company's policy regarding a system reboot.
For information, see the Software Distributor Administration Guide on the HP Business Support
Center website at http://www.hp.com/go/sd-docs and the swinstall(1M) manpage.
* Beginning Selection
* Target connection succeeded for "my_system:/".
* Source connection succeeded for "my_system:/my_depots/depot".
* Source: /my_depots/depot
* Targets: my_system:/
* Software selections:
PHSS_30501.AGRM,l=/,r=B.11.11.22,
a=HP-UX_B.11.11_32/64,v=HP,fr=B.11.11.22,
fa=HP-UX_B.11.11_32/64
...
PHSS_30501.XEXT-RECORD,l=/,r=B.11.11.22,
a=HP-UX_B.11.11_32/64,v=HP,
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swinstall.last".
* The analysis phase succeeded for "my_system:/".
* Analysis succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log my_system-0856 @ my_system:/".
* Beginning Selection
* Target connection succeeded for "my_system:/".
* Source connection succeeded for
"my_system:/my_depots/a_depot".
NOTE: The patch match operation failed to find patches for target
software on "my_system" which passed the filter.
* Source: /my_depots/a_depot
* Targets: my_system:/
* Software selections:
PHCO_28175.CORE-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
* Selection succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log my_system-0864 @ my_system:/".
NOTE: You can also use the HP-UX Software Assistant (SWA) tool to create a custom bundle.
See Chapter 9: “Using HP-UX Software Assistant for patch management” (page 89).
For more information about Ignite-UX, see the Ignite-UX Administration Guide, which is available
on the HP Business Support Center website at http://www.hp.com/go/ignite-ux-docs.
You can also visit the Ignite-UX webpage at http://www.hp.com/go/ignite-ux.
You can use Ignite-UX to create custom bundles from patches that you have placed in a temporary
depot. You can then move this bundle to a permanent depot, such as a periodic depot, for
installation purposes. HP recommends custom bundle creation when you have a group of closely
related patches that you want to place in a depot with other patches. This is advantageous for the
following reasons:
• When you list the contents of the depot, you see the bundle rather than the individual patches.
• If you choose to install only this group of patches, you simply select the bundle for installation.
• After installing a bundle, when you use the swlist command to list the patches on a system
you will see the bundle rather than the individual patches contained in the bundle.
Suppose you have a group of 10 patches related to software application XYZ in the first quarter
of 2005. You can create a bundle of these patches and name it 2005_Q1_APP_XYZ. You can
then place this bundle in your periodic patch depot. When you use the swlist command to list
the contents of the depot, the bundle name shows up instead of the 10 individual patches. This
can be very helpful when the swlist command returns a large list, because your bundle is more
visible than the individual patches.
#
# Product(s) not contained in a Bundle:
#
SOME_PATCH_001 rev patch description
INDIVIDUAL_XYZ_PATCH_001 rev patch description
SOME_PATCH_002 rev patch description
SOME_PATCH_003 rev patch description
SOME_PATCH_004 rev patch description
INDIVIDUAL_XYZ_PATCH_002 rev patch description
...
SOME_PATCH_067 rev patch description
SOME_PATCH_068 rev patch description
SOME_PATCH_069 rev patch description
INDIVIDUAL_XYZ_PATCH_010 rev patch description
...
SOME_PATCH_134 rev patch description
INDIVIDUAL_XYZ_PATCH_015 rev patch description
SOME_PATCH_135 rev patch description
SOME_PATCH_136 rev patch description
...
If you bundle the patches into a bundle called 2005_Q1_APP_XYZ_BUNDLE, it is much easier to
determine if the patches are included in the swlist output.
#
# Bundle(s):
#
SOME_BUNDLE_001 rev bundle description
SOME_BUNDLE_002 rev bundle description
2005_Q1_APP_X_BUNDLE rev bundle description
#
# Product(s) not contained in a Bundle:
#
SOME_PATCH_001 rev patch description
SOME_PATCH_002 rev patch description
...
#
# No Bundle(s) on my_system:/my_depots/temporary_depot/
# Product(s):
#
PHCO_24587 1.0 psrset(1M) man page patch
PHCO_25130 1.0 vPar manpage cumulative patch
PHCO_28175 1.0 vPar commands man pages patch
PHCO_28830 1.0 security(4) man page cumulative patch
2. Create a bundle containing these four patches. The following command creates a bundle in
the temporary depot named PATCH_ASSESSMENT_05042005 with a title of “May 04,
2005: HP-UX 11.11 Patch Assessment Patches” and a revision of 1.0.
$ make_bundles -B \
-n PATCH_ASSESSMENT_05042005 \
-t "May 04, 2005: HP-UX 11.11 Patch Assessment Patches" \
-r 1.0 \
/my_depots/temporary_depot/
3. List the contents of the temporary depot. Note the presence of the newly created bundle.
$ swlist -d @ /my_depots/temporary_depot/
# Initializing...
# Contacting target "my_system"...
# Target: my_system:/my_depots/temporary_depot/
#
# Bundle(s):
#
PATCH_ASSESSMENT_05042005 1.0 May 04, 2005:
HP-UX 11.11 Patch Assessment Patches
4. Preview copying the bundle (using the -p argument) from the temporary depot to the periodic
depot. Review the output generated by this command.
$ swcopy -p -s my_system:/my_depots/temporary_depot/ PATCH_ASSESSMENT_05042005 \
@ my_system:/my_depots/periodic_depot/
* Beginning Selection
* "my_system:/my_depots/periodic_depot/": This target does not exist
and will be created.
* Source connection succeeded for "my_system:/my_depots/temporary_depot/".
* Source: my_system:/my_depots/temporary_depot/
* Targets: my_system:/my_depots/periodic_depot/
* Software selections:
PATCH_ASSESSMENT_05042005,r=1.0,a=HP-UX_B.11.11_32/64
PHCO_24587.ADMN-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
PHCO_25130.CORE-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
PHCO_28175.CORE-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
PHCO_28830.ADMN-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swcopy.last".
* The analysis phase succeeded for
"my_system:/my_depots/periodic_depot/".
* Analysis succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log my_system-1132 @
my_system:/my_depots/periodic_depot/".
* Beginning Selection
* "my_system:/my_depots/periodic_depot/": This target does
not exist and will be created.
* Source connection succeeded for "my_system:/my_depots/temporary_depot/".
* Source: my_system:/my_depots/temporary_depot/
* Targets: my_system:/my_depots/periodic_depot/
* Software selections:
PATCH_ASSESSMENT_05042004,r=1.0,a=HP-UX_B.11.11_32/64
PHCO_24587.ADMN-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
PHCO_25130.CORE-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
PHCO_28175.CORE-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
PHCO_28830.ADMN-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
PHCO_28830.CORE-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
PHCO_28830.PAUX-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
PHCO_28830.SEC-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP,
fr=1.0,fa=HP-UX_B.11.11_32/64
* Selection succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log my_system-1133 @
my_system:/my_depots/periodic_depot/".
#
# Bundle(s):
#
PATCH_ASSESSMENT_05042004 1.0 May 04, 2004: HP-UX 11.11 Patch
Assessment Patches
7. Finally, remove the temporary depot.
$ swreg -u -l depot my_system:/my_depots/temporary_depot/
$ rm -r /my_depots/temporary_depot/
IMPORTANT: Version C.02.75 of SWA is required to allow entitled customers access to the
HPSC. SWA C.02.75 supersedes all preceding versions.
You can use SWA from the HP-UX command line or from HP SIM.
To run SWA from HP SIM, use HP SIM version 5.2 or later HP-UX Central Management Server
(CMS).
SWA is supported on HP-UX 11i v3, v2, and v1 systems.
◦ swa-report(1M)
◦ swa-get(1M)
◦ swa-step(1M)
◦ swa-clean(1M)
◦ drd-activate(1m)
◦ drd-clone(1m)
◦ drd-deactivate(1m)
◦ drd-mount(1m)
◦ drd_register_mirror(1m)
◦ drd-rehost(1m)
◦ drd-runcmd(1m)
◦ drd-status(1m)
◦ drd-sync(1m)
◦ drd-umount(1m)
◦ drd_unregister_mirror(1m)
◦ drd-unrehost(1m)
TIP: HP-UX Software Assistant (SWA) was released in January, 2007 as a software upgrade to
the Patch Assessment Tool. For more information, see Chapter 9: “Using HP-UX Software Assistant
for patch management” (page 89).
The Patch Assessment Tool replaces the Custom Patch Manager (CPM) Tool.
In addition to creating custom bundles, you can also use the Patch Assessment Tool to do the
following:
• Ensure your system meets the HP recommended patch configuration.
• Ensure all applicable security patches are installed on the system.
• Identify and acquire replacement patches for patches with warnings installed on the system.
If you are implementing a proactive patch management strategy, the Patch Assessment Tool can
be useful as your primary method of patch selection. See Chapter 5: “Patch management overview”
(page 45) for more information about proactive patching.
The benefits of using the Patch Assessment Tool to select and acquire patches include:
• The assessment returns a set of patches customized to your needs based on your input:
◦ Select or deselect patches that provide critical fixes.
◦ Select or deselect replacement (or superseding) patches for patches already on a system
that have noncritical or critical warnings.
◦ Require that a specific patch be included in the assessment.
◦ A custom profile allows you to specify that the assessment select patches for any of
the following:
– Latest QPK patch bundle
– Security patches
– Replacements for installed patches with critical warnings
– Replacements for installed patches with any warnings
– Critical fixes
– Updates for patches already installed
– Miscellaneous patches for the specific operating system of the system being
assessed
– Miscellaneous patches for the specific hardware model of the system being
assessed
– Application-specific patch sets
– All applicable patches
HP contact information
For the name of the nearest HP authorized reseller:
• See the Contact HP worldwide (in English) webpage (http://welcome.hp.com/country/us/
en/wwcontact_us.html).
For HP technical support:
• In the United States, for contact options see the Contact HP United States webpage (http://
welcome.hp.com/country/us/en/contact_us.html). To contact HP by phone:
◦ Call 1-800-HP-INVENT (1-800-474-6836). This service is available 24 hours a day, 7
days a week. For continuous quality improvement, calls may be recorded or monitored.
◦ If you have purchased a Care Pack (service upgrade), call 1-800-633-3600. For more
information about Care Packs, refer to the HP website (http://www.hp.com/hps).
• In other locations, see the Contact HP worldwide (in English) webpage (http://
welcome.hp.com/country/us/en/wwcontact_us.html).
Subscription service
HP recommends you register your product at the Subscriber's Choice for Business website: http://
www.hp.com/united-states/subscribe/gateway
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
• HP-UX Software Assistant Administration Guide
• Dynamic Root Disk Administrator's Guide
• Ignite-UX Administration Guide
• Software Distributor Administration Guide
Contacting HP 95
• Support Plus User Guide
• Read Before Installing Support Plus
HP websites
• HP Home Page
• HP-UX 11i features and news
• Software Assistant
• Dynamic Root Disk
• Ignite-UX
• HP Support Center
• HP Software Depot
• Software Distributor
• System diagnostic and monitoring tools
• HP HPSC hp-ux technical documentation forum
• HP_UX_Docs Twitter account
Typographic conventions
This document uses the following typographical conventions:
%, $, or # A percent sign represents the C shell system prompt. A dollar sign
represents the system prompt for the Bourne, Korn, and POSIX
shells. A number sign represents the superuser prompt.
audit(5) A manpage. The manpage name is audit, and it is located in
Section 5.
Command A command name or qualified command phrase.
Computer output Text displayed by the computer.
Ctrl+x A key sequence. A sequence such as Ctrl+x indicates that you
must hold down the key labeled Ctrl while you press another key
or mouse button.
ENVIRONMENT VARIABLE The name of an environment variable, for example, PATH.
ERROR NAME The name of an error, usually returned in the errno variable.
Key The name of a keyboard key. Return and Enter both refer to the
same key.
Term The defined use of an important word or phrase.
User input Commands and other text that you type.
Variable The name of a placeholder in a command, function, or other
syntax display that you replace with an actual value.
[] The contents are optional in syntax. If the contents are a list
separated by |, you must choose one of the items.
{} The contents are required in syntax. If the contents are a list
separated by |, you must choose one of the items.
... The preceding element can be repeated an arbitrary number of
times.
Indicates the continuation of a code example.
| Separates items in a list of choices.
Typographic conventions 97
13 Documentation Feedback
HP is committed to providing documentation that meets your needs. To help us improve the
documentation, send any errors, suggestions, or comments to Documentation Feedback
(docsfeedback@hp.com). Include the document title and part number, version number, or the URL
when submitting your feedback.
98 Documentation Feedback
A Patch usage models
This appendix lists the following patch usage models:
• “Patch usage model 1: hardware/application software change” (page 100)
• “Patch usage model 2: third-party hardware/software qualification” (page 104)
• “Patch usage model 3: operating environment cold install” (page 105)
• “Patch usage model 4: operating environment update” (page 107)
• “Patch usage model 5: proactive patch” (page 109)
• “Patch usage model 6: reactive patch” (page 110)
The following legend is used in all the diagrams in this appendix.
99
Patch usage model 1: hardware/application software change
No
Ye s
Create clone
Activate and
reboot clone
NOTE: * More information is available in the Managing Rare DRD-Unsafe Patches white paper,
available at http://www.hp.com/go/drd-docs.
Go to A Go to A-1
Ye s Ye s
No
Ye s Do you want
No to use Ignite-
Go to C UX depots?
No
Use an existing Install from master
B egin: depots or
customer created
Additional HP-UX Ye s golden image Go to B – HP-UX
“golden” image
11i v2/v3 Systems or master depot? 11i v2/v3
Depot Creation
Go to C-1
A
Run Software Act on
1 Assistant (SWA) recommended
to find additional actions from
Install issues and their SWA as
Cold install OE, Find and resolution.
additional HP appropriate;
all patch bundles, install 3rd Updated products
Applications or No will include
optional products party
optional core and patches will be manual
from OE DVD applications
ehancements? identified; manual actions and
actions might be installation of
required. patches and
Use SWA to create products
Ye s depot of additional
patches, if needed.
NOTE: All 11i v1 OEUR media and Support Plus media (with the required patch bundles) used
during installation must come from the same media set. The 11i v2 and v3 OEUR media include
all standard patch bundles needed during installation.
Additional software can be obtained from the HP Software Depot.
Go to C - HP-UX
11i2/v3 Depot Install
Copy QPKAPPS
bundle from OE
media into
Application Depot
C
Run Software Act on
Assistant (SWA) recommended
to find additional actions from SWA
Find and install
Install issues and as appropriate;
required 3rd party
additional their resolution. will include
Cold install software, other
products and Updated products manual actions
OE from non-OE
patches from and installation
Core Depot applications and patches will be
additinal 11 i of patches
and hardware identified; manual
depots and products
products/patches actions might be
required.
C-1
Use SWA to create
depot of additional
patches, if needed. Test/
validation/
reload data/
deploy
Create final
End : recovery/
Deploy system to archive
production image
Updating from
11i v1.6 or 11i v2 Update using
No prior to 09/2004 No media as
to 11i v2 source?
09/2004
or later
No
Ye s
go to B – HP-UX
Consulting opportunity – engage 11i v2/v3
HP Support Representative if needed * swinstall Depot Creation
August 2004
Bundle 11i
Install/ Installing
upgrade optional core Go to C - HP-UX
No No
additional HP enhancements? 11i2/v3 Depot Update
swcopy OE, optional drivers,
products?
QPK, HWE, and optional
products from OE media into
new Core Depot
Ye s Ye s
swcopy additional
swcopy optional
HP applications
core
from Application
enhancements
Software Media
from
into
Software
Application Depot
Pack (SPK)
swcopy QPKAPPS
from OE
media into
Application Depot
C
Run Software Act on
Find and Assistant (SWA) recommended Add patches
install 3rd to find additional actions from to master
party issues and their SWA as depot(s)
swinstall applications resolution. appropriate; if desired
Update-UX Updated products will include
from and patches will be manual
Core Depot actions and
identified; manual
installation of
actions might be Test/
patches and
required. products validation/
Use SWA to create roll into
Update 11i OE, production
depot of additional
optional drivers, patches, if needed.
QPK, HWE and
optional
products from
11i Core Depot Create final
using Update-UX recovery/
archive
image
Update
additional
products,
patches and/or E nd:
optional core Functioning updated
features from system
11i depot(s)
using swinstall
NOTE: Problems might be encountered if non-OE applications are installed simultaneously to the
OE installation. A two-depot model is recommended.
HP applications and SPK bundles may be acquired from http://www.hp.com/go/softwaredepot.
For more information, see HP-UX Installation and Update Guide at http://www.hp.com/go/
hpux-core-docs-11iv3.
B egin:
Start with functioning
system
Run SWA to
Resolve
find additional
security
issues and their issues including
resolution. manual actions.
Updated products Add patches
Is patch and patches will used for
U s e D RD to No be identified;
assessment to be reactive
performed by HP No minimize manual actions patching in the
support? d ow n ti m e might be required. past to the
Use SWA to patch depot.
create depot of
additional patches
Ye s if needed.
Ye s
Cre a te clo n e
Was
Co n ta ct HP S u p po rt U s e D RD to DRD used
Obtain patch Install
for p a tch minimize No to create No
depot from HP patches
assessm ent d ow n ti m e? a clone?
Ye s Test/
validation/
roll into
* Ensure the latest production
Ye s Cre a te clo n e drd_unsafe_patch_list
file is loaded
Apply
patches
to clone
and
test/validate
Activate and
reboot clone
En d:
Create
Functioning
recovery/
system with new
archive image
patches
NOTE: * More information is available in the Managing Rare DRD-Unsafe Patches white paper,
available at http://www.hp.com/go/drd-docs.
111
HP-UX Software A tool that consolidates and simplifies patch management and security bulletin management on
Assistant HP-UX systems. The SWA tool is the HP-recommended utility to use to maintain currency with
HP-published security bulletins and recommended patch levels for HP-UX 11i software. SWA has
been released for HP-UX 11i systems. SWA can perform a number of checks including published
security issues, installed patches with warnings, and missing patches with critical fixes. Once an
analysis has been performed, you can use SWA to download any recommended patches or
patch bundles and create a depot ready for installation.
Ignite-UX An application that facilitates installing and configuring HP-UX systems. Ignite-UX provides a
toolset used on HP-UX for doing cold installs and system recovery. It uses SD for doing
package-based installs, and can also use golden images for supplying software.
installed product A product that has been installed on a host so that its files can be used by end users. Contrasts
with a product residing in a depot on a host's file system. Sometimes referred to as an available
product.
Installed Products Describes the products that are installed on any given host (or within an alternate root). Installed
Database product information is created by the swinstall command, and managed by the swmodify
command. The contents of an IPD reside in a directory structure with a single common root.
IPD See Installed Products Database.
IUX See Ignite-UX.
object The pieces of software that SD-UX packages, distributes, installs, and manages. There are three
classes of objects: software (installed on target roots or available in depots), containers (depot,
roots, alternate roots), and jobs.
patch Software designed to update specific bundles, products, subproducts, filesets, or files on a system.
By definition, patch software is packaged with the is_patch attribute set to true.
patch bundle Is a collection of patches that have been grouped into a single software object (bundle) to meet
a specific need.
See also bundle.
patch category Patches have categories, or category tags, associated with them to simplify the process of
determining the general purpose of a specific patch.
patch rollback The process of removing a patch from the system and restoring the system to the prepatched state.
patch warning Is a notification that a patch causes or exposes adverse behavior. Patch warnings provide specific
information about this incorrect behavior, as well as other important details and recommendations.
prerequisite A dependency in which one fileset requires another fileset to be installed or configured before
the first fileset can be installed or configured. For example, fileset A might require that fileset B
is installed before fileset A can be installed. Therefore, fileset B is a prerequisite for fileset A.
See also dependency, corequisite.
product directory The root directory of a product object, in which most of its files are contained. You can change
(relocate) the default product directory when you install a locatable product.
rollback See patch rollback.
SD See Software Distributor.
SD-UX HP-UX software management commands. These commands are referred to as SD-UX (Software
Distributor-HP-UX).
See also Software Distributor.
serial depot See tape depot.
software depot An SD format structure that contains one or more software products that can be installed on other
systems or copied to other depots.
Software The native toolset used on HP-UX for managing software packages.
Distributor
software object The objects packaged, distributed, installed, or managed by SD. A software object can be a file,
fileset, bundle, or product. Most operations are performed on filesets.
subproduct A subset or partitioning of a software product. A subproduct is an optional component of a
product and contains one or more filesets.
superseded The state in which a patch is applied but is then replaced by a superseding patch.
112 Glossary
See also applied, committed.
superseding patch A patch that supersedes all previous patches to a given fileset.
SWA See HP-UX Software Assistant.
tape depot A software depot stored in tape archive (tar) format. Within the archive, directory and file entries
are organized using the same structure as any other SD-UX format depot.
warning See patch warning.
113
Index
and patch bundles, 19
A and patch chains, 28
Access Control Lists, 76 copying products with patches, 74
advanced topics difference between enforced and manual, 34
Access Control Lists, 76 how to make sure you have everything, 62
checking for all patch dependencies, 62 installing products with patches, 84
corequisite and prerequisite filesets, 34 on patch details page, 15
Dynamic Root Disk, 13 overview, 33
HP-UX Software Assistant, 52, 74 depots, 67
patch ancestors, 27 see also directory depots
patch cleanup utility, 36 see also tape depots
patch warnings, 43 choosing type and location, 70
readme attribute, 40 installing patches from, 81
rollback files, 35 overview, 20
scanning for security patches, 54 types, 68
security patching strategy, 53 use strategy, 69
special installation instructions, 61 viewing, 70
supersession information, 29 details page, 39
supersession, patch_state attribute, 29 directory depots
ancestor attribute, 32 adding and updating applications, 74
ancestors, 27 advantages over tape, 68
attributes related to patches, 31 copying a patch, 73
autoselect_patches creating from existing depot, 72
swcopy, 74 installing select applications from, 84
swinstall, 84 overview, 68
registering, 75
B removing, 80
backup, 43 removing software, 78
BUNDLE11i, 55 removing superseded patches, 79
see also standard HP-UX patch bundles unregistering, 75
use and release date table, 56 using, 67
bundles, 55 see patch bundles verifying, 76
see also standard HP-UX patch bundles viewing, 70
documentation
C all related, 95
care pack information in the HPSC, 58 DRD, 91
category tags, 22 Ignite-UX, 95
category_tag attribute, 32 Software Distributor, 95
check_patches, 67 SWA, 89
cleanup, 67 Dynamic Root Disk (DRD)
depot example, 79 documentation, 91
example of preview mode, 36 overview, 13
configured SW state, 21 using, 90
corequisites, 34
corrupt SW state, 22 E
critical category tag, 23 enforced dependencies see dependencies
critical patches, 38 enhancement category tag, 22
critical warnings, 42
custom patch bundles, 84 F
Custom Patch Manager, 65 Feature Enablement patch bundle see FEATURE11i
FEATURE11i, 55
D see also standard HP-UX patch bundles
Data Protector, 43 overlapping content with QPK and HWE, 56
dependencies, 34 overview, 46
see also manual dependencies use and release date table, 56
and FEATURE11i, 46 firmware category tag, 23
114 Index
H quick start, 10
Hardware Enablement patch bundle see HWE patch strategies
hardware_enablement category tag, 22 overview, 48
HPSC proactive, 51
forums, 65 reactive, 52
getting access to patch download, 58 risk and downtime management, 48
Knowledge Base, 65 security, 53
patch database, 58, 59 using depots, 69
Subscriber's Choice, 65 using DRD, 90
using, 58 using SWA, 89
using to get information, 40 patch_state attribute, 29, 32
webpages, 58 patches, 8
HWE, 55 see also patch bundles
see also standard HP-UX patch bundles see also patch management
overview, 46 acquiring, 9, 14
reboot on install, 13 ancestors, 27
use and release date table, 56 attributes, 31
category tags, 22
I commitment, 36
Ignite-UX concepts, 18
about, 84 critical, 38
documentation, 95 decoding patch names, 18
recovery tools, 43 details, 39
individual patches see patches getting, 59
installed SW state, 21 getting information about a patch, 39
is_patch attribute, 32 individual versus bundles, 10
is_reboot attribute, 32 installing, 16
noncritical, 38
M overview, 18
manpages ratings, 37
DRD, 91 removing, 35
SWA, 89 rollback, 35
manual dependencies security, 53
about, 34 state, 21
checking for in the Patch Database, 62 status, 20
listing with swlist, 25 supersession, 28
using swlist to get readme information, 40 testing, 54
manual_dependencies category tag, 23 text file, 39
using individual patches, 10
N warnings, 41
network depots see directory depots patching, 51
noncritical patches, 38 see also patch strategies
noncritical warnings, 42 importance of, 8
Quick Start Guide, 10
P using DRD, 90
Patch Assessment Tool, 92 using SWA, 89
patch bundles, 55 where to start, 9
see also standard HP-UX patch bundles prerequisites, 34
custom, 65 proactive patching strategy, 51
overview, 19 see also patch strategies
patch database
gaining access, 58 Q
using, 59 QPK, 55
patch dependencies see dependencies see also standard HP-UX patch bundles
patch depots see depots and SWA, 89
patch management overview, 46
importance of, 8 reboot on install, 13
life cycle, 45 use and release date table, 56
overview, 8, 45 Quality Pack patch bundle see QPK
115
Quick Start Guide, 10 chain diagram, 31, 33
displaying information, 29
R overview, 28
ratings, 37 support agreement information in the HPSC, 58
reactive patching strategy, 52 SWA
see also patch strategies documentation, 89
readme attribute, 32, 40 using, 89
recovery, 43 swcopy, 68
registered depots, 75 category tags, 22
Required Patch Bundle see BUNDLE11i create a depot, 72
resources example, 73
all related, 95 manpage, 72
DRD, 91 options, 72
SWA, 89 patch dependencies, 74
registered depots, 75
S swinstall, 68
SD-UX see Software Distributor autoselect_patches, 84
security, 53 category tags, 22
security patching strategy, 53 example, 82
see also patch strategies installing bundles, 13
Selected Patch List Table, 61 installing patches, 16, 81
serial access depots, 69 remote access, 70
service contracts, 48 rollback files, 35
show_patches, 68 swlist, 68
availability of command, 61 attributes, 33
list Special Installation instructions, 47 bundles, 19, 84
show superseded patches, 29 category tags, 22, 39
Software Assistant see SWA corequisite and prerequisite filesets, 34
Software Depot, 57 depot registration, 75
software depots see depots examples, 23, 71, 84
Software Distributor overview, 23
commands, 67 patch ancestors, 27
description of SW object structure, 18 patch_id, 22
documentation, 95 patch_state, 21, 29
software_spec attribute, 32 readme attribute, 40
special installation instructions, 61 supersession information, 29
special_release category tag, 23 variations, 26
standard HP-UX patch bundles, 55 viewing depots, 70
see also FEATURE11i swmodify, 68
see also HWE patch commit, 36
see also QPK swreg, 68
acquiring, 11 examples, 75
finding in the patch database, 65 registered depots, 75
installing, 12 removing depot, 80
key features, 55 swremove, 68
names, 55 examples, 78
names and HP-UX versions, 11 options, 78
obtaining, 57 patch rollback, 35
overview, 55 registered depots, 75
release dates, 56 swverify, 68
using, 10, 46, 56 examples, 76
state attribute, 21, 32 options, 76
strategies see patch strategies overview, 76
Subscriber's Choice, 65 sysdiff, 68
superseded_by attribute, 33
supersedes attribute, 33 T
supersession tape depots
and patch_state attribute, 29 creating directory depot from tape depot, 72
and the cleanup utility, 79 disadvantages, 68
116 Index
overview, 69
registered, 75
using, 67
viewing, 70
text file for a patch, 39
tools
Custom Patch Manager, 65
DRD, 90
Patch Assessment Tool, 92
Software Distributor commands, 67
SWA, 89
transient SW state, 22
U
unenforced dependencies see manual dependencies
usage models for patching, 99
W
warning information, 41
warranty information in the HPSC, 58
117