HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)
s
security_patch_check(1M) security_patch_check(1M)
CRLCHECK
When this variable is set to 1, security_patch_check
will require the certificate revocation list
to be updated and checked for the trusted CA certificate being used to validate the remote server.
This means the
CRLURL variable must also be set and only the certificate used to sign the down-
loaded revocation list can be used to validate the server connection. When enabled, this configuration
provides the remote server a mechanism to revoke its certificate through the certificate authority, but
also requires regular downloads from the certificate authority, which can lengthen the
security_patch_check
run time. If you do not wish to validate a revocation list, set this vari-
able to 0.
CRLURL
Contains the URL where the certificate revocation list (CRL), for the trusted certificate being used to
download the security catalog, can be downloaded. If you are behind a proxy then you will need to
configure the proxy information for the protocol being used to download the CRL.
HTTPS_CA_DIR
A directory containing files, each of which consists of one PEM-encoded trusted CA certificate. If
using certificates other than the defaults shipped by HP, note that these files should be indexed using
the certificate’s subject name hash value, in the form "hash.0". Use the OpenSSL utility,
c_rehash,
to index the certificates in the directory, creating the hash.0 format files for each certificate file in the
directory which ends with the
.pem extension.
HTTPS_CA_FILE
The fully qualified path to a file containing PEM-encoded CA certificates which will be trusted by
security_patch_check
.
OPENSSLDIR
The directory path containing the openssl and c_rehash binaries.
The security bulletin catalog can also be downloaded manually from any of the following URLs:
https://itrc.hp.com/service/patch/securityPatchCatalog.do?
item=security_catalog2.gz
http://itrc.hp.com/service/patch/securityPatchCatalog.do?
item=security_catalog2.gz
ftp://ftp.itrc.hp.com/export/patches/security_catalog2.gz
SOFTWARE ASSISTANT TRANSITION
The following table lists Security Patch Check options and some corresponding options for Software Assis-
tant (SWA). This is not an equivalency mapping. SWA has a different interface and more functionality. As
such, some of the options have changed in meaning and not just in name.
SPC
Option
SWA
Single
Letter
Option
SWA Extended Option
-c n/a catalog
-h -s inventory_source
-i n/a ignore_file
-o -r stdout_report_type
-q n/a report_when_no_issues
-q -q verbosity
-r n/a catalog_source
-u -? n/a
The primary way to access the reporting functionality of Software Assistant is through the swa report
major mode. See swa-report(1M) for detailed explanations for these options. For additional information
about Software Assistant functionality, see swa(1M) and other associated man pages.
The proxy environment variables ftp_proxy, http_proxy , https_proxy also work for SWA. They
can also be set as extended options using the -x command-line option or in an SWA configuration file.
While SPC uses these options to determine which catalog source URL to try first, SWA will use the URL
explicitly set using the catalog_source extended option, independent of the proxy settings. SWA also
uses Java(TM) libraries to implement the download functionality. In some cases where SPC required expli-
cit setting of proxies, SWA is able to automatically detect network proxy settings and use them without an
explicit setting. For more complex network topology (for example, proxies that require more than HTTP
HP-UX 11i Version 2: December 2007 Update − 6 − Hewlett-Packard Company 307