HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)
s
security_patch_check(1M) security_patch_check(1M)
https_proxy=http://myproxy.mynet.com:8088
A web proxy generally uses the HTTP protocol (even for proxying HTTPS and FTP data). If you specify a
URL on the command line and you wish to traverse a proxying firewall, then you must specify the proxy
which corresponds to that URL. For example, set the
http_proxy option if the URL begins with
http://. Some protocols (such as telnet) do not do file transfers, and other protocols (such as
file)
cannot be used over a proxy.
NOTE: If you are running
security_patch_check
from within Systems Insight Manager, instead of
running the "Get Bulletin Catalog" tool, you can also download the catalog manually from one of the above
URLs and save the catalog to
/var/opt/sec_mgmt/security_catalog
. To allow Systems Insight
Manager to use your proxy to get the catalog, you must set the
https_proxy , http_proxy ,or
ftp_proxy (and all other configuration environment variables not set in the
security_patch_check
clients’ configuration file,
/etc/opt/sec_mgmt/spc/spc_config
).
For example, insert
export ftp_proxy=http://myproxy.mynet.com:8088
into /etc/profile to enable FTP download through the specified proxy. The "Get Patch Catalog" tool
in Systems Insight Manager will read in /etc/profile before executing security_patch_check
.
HTTPS Specific Configuration
Each of the following variables can be configured in the
security_patch_check
configuration file,
/etc/opt/sec_mgmt/spc/spc_config
, or as environment variables in the user shell. For each of
these variables, reasonable defaults are set in the configuration file, and can be used as examples. By
default,
security_patch_check
requires server certificate validation for all HTTPS requests. There-
fore, you must specify the trusted CA certificate used to issue the remote server’s certificate by correctly
setting either the
HTTPS_CA_FILE
or the HTTPS_CA_DIR variables below.
CRLCHECK
When this variable is set to 1, security_patch_check
will require the certificate revocation list
to be updated and checked for the trusted CA certificate being used to validate the remote server.
This means the
CRLURL variable must also be set and only the certificate used to sign the down-
loaded revocation list can be used to validate the server connection. When enabled, this configuration
provides the remote server a mechanism to revoke its certificate through the certificate authority, but
also requires regular downloads from the certificate authority, which can lengthen the
security_patch_check
run time. If you do not wish to validate a revocation list, set this vari-
able to 0.
CRLURL
Contains the URL where the certificate revocation list (CRL), for the trusted certificate being used to
download the security catalog, can be downloaded. If you are behind a proxy then you will need to
configure the proxy information for the protocol being used to download the CRL.
HTTPS_CA_DIR
A directory containing files, each of which consists of one PEM-encoded trusted CA certificate. If
using certificates other than the defaults shipped by HP, note that these files should be indexed using
the certificate’s subject name hash value, in the form "hash.0". Use the OpenSSL utility,
c_rehash,
to index the certificates in the directory, creating the hash.0 format files for each certificate file in the
directory which ends with the
.pem extension.
HTTPS_CA_FILE
The fully qualified path to a file containing PEM-encoded CA certificates which will be trusted by
security_patch_check.
OPENSSLDIR
The directory path containing the openssl and c_rehash binaries.
The security bulletin catalog can also be downloaded manually from any of the following URLs:
https://itrc.hp.com/service/patch/securityPatchCatalog.do?
item=security_catalog2.gz
http://itrc.hp.com/service/patch/securityPatchCatalog.do?
item=security_catalog2.gz
ftp://ftp.itrc.hp.com/export/patches/security_catalog2.gz
330 Hewlett-Packard Company − 5 − HP-UX 11i Version 3: February 2007