Software Distributor (SD-UX) Administration Guide HP-UX 11i v1, 11i v2, and 11i v3 (762797-001, March 2014)
Table Of Contents
- Software Distributor Administration Guide
- Contents
- HP secure development lifecycle
- About This Document
- 1 Introduction to Software Distributor
- SD-UX Overview
- SD-UX Concepts
- Using the GUI and TUI Commands
- The Terminal User Interface
- Starting the GUI/TUI Commands
- Window Components
- Opening and closing items in the object list
- Marking Items in the Object List
- Preselecting Host Files
- Software Selection Window
- Session and File Management—The File Menu
- Changing Software Views—The View Menu
- Changing Options and Refreshing the Object List—The Options Menu
- Performing Actions—The Actions Menu
- Getting Help—The Help Menu
- XToolkit Options and Changing Display Fonts
- Working from the Command Line
- 2 Installing Software
- Installation with swinstall
- Features and Limitations
- Installing with the GUI
- Installing from the Command Line
- Installation Tasks and Examples
- Updating to HP-UX 11i
- Installing Patches
- Recovering Updated Files
- Installing Software That Requires a System Reboot
- Using Software Codewords and Customer IDs
- Re-installing Software Distributor
- Installing Multiple Versions
- Installing to an Alternate Root
- Compatibility Filtering and Checking
- Software Selection Checking
- Configuring Your Installation (swconfig)
- Verifying Your Installation (swverify)
- Installation with swinstall
- 3 Managing Installed Software
- 4 Managing Software Depots
- Depot Management Commands and Concepts
- Copying Software Depots
- Registering and Unregistering Depots (swreg)
- Verifying Signed Software Signatures
- Additional Depot Management Tasks and Examples
- Combining Patch Depots
- Creating a Tape Depot for Distribution
- Setting Depot Attributes
- Creating a Network Depot
- Managing Multiple Versions of HP-UX
- Listing Registered Depots
- Listing the Contents of a Depot (swlist -d)
- Source Depot Auditing
- Verifying a Depot (swverify -d)
- Removing Software from Depots
- Removing a Depot
- 5 HP-UX Patching and Patch Management
- 6 Using Jobs and the Job Browser
- 7 Remote Operations Overview
- 8 Reliability and Performance
- 9 SD-UX Security
- 10 Creating Software Packages
- Overview of the Packaging Process
- Identifying the Products to Package
- Adding Control Scripts
- Creating a Product Specification File (PSF)
- Product Specification File Examples
- PSF Syntax
- PSF Object Syntax
- Selecting the PSF Layout Version
- PSF Value Types
- Product Specification File Semantics
- Re-Specifying Files
- Packaging the Software (swpackage)
- Packaging Tasks and Examples
- Registering Depots Created by swpackage
- Creating and Mastering a CD-ROM Depot
- Compressing Files to Increase Performance
- Packaging Security
- Repackaging or Modifying a Software Package
- Packaging In Place
- Following Symbolic Links in the Source
- Generating File Revisions
- Depots on Remote File Systems
- Verifying the Software Package
- Packaging Patch Software
- Writing to Multiple Tapes
- Making Tapes from an Existing Depot
- 11 Using Control Scripts
- Introduction to Control Scripts
- General Script Guidelines
- Packaging Control Scripts
- Using Environment Variables
- Execution of Control Scripts
- Execution of Other Commands by Control Scripts
- Control Script Input and Output
- File Management by Control Scripts
- Testing Control Scripts
- Requesting User Responses (swask)
- Request Script Tasks and Examples
- 12 Nonprivileged SD
- A Command Options
- B Troubleshooting
- Error Logging
- Common Problems
- Cannot Contact Target Host’s Daemon or Agent
- GUI Won’t Start or Missing Support Files
- Access To An Object Is Denied
- Slow Network Performance
- Connection Timeouts and Other WAN Problems
- Disk Space Analysis Is Incorrect
- Packager Fails
- Command Logfile Grows Too Large
- Daemon Logfile Is Too Long
- Cannot Read a Tape Depot
- Installation Fails
- swinstall or swremove Fails With a Lock Error
- Use of Square Brackets ([ and ]) Around an IPv6 Address Causes an Error
- Some SD commands do not work after network configuration changes
- C Replacing or Updating SD-UX
- D Software Distributor Files and File System Structure
- Glossary
- Index
Agents Run with the System’s Identity
The SD-UX agents and daemons run with the privileges of a superuser; but they also have the
special identity of the host system on which they are executing. When a target agent makes an
RPC call to a source agent, two sets of credentials are passed with the call:
• those of the agent’s system
• those of the user running the controller on whose behalf the target agent runs
While local superuser privilege is necessary for the agent to do required local file system operations
such as file creation and deletion, ACL management, etc., this level of permission is neither required
nor desired for DCE RPC operations with other SD-UX processes.
When SD-UX agents perform RPCs, they assume the identity of the system on which they run, rather
than that of a particular user.
Security Between Hosts: The Shared Secrets File
In addition to the caller’s credentials, other evidence of trustworthiness is also sent in the RPC. The
SD-UX agent checks this evidence before accepting the caller credentials. This evidence consists
of passing the encryption of a secret password. The password is read from the shared secrets file.
This file is located on systems in /var/adm/sw/security/secrets.
NOTE: The SD-UX Secret must be the same on both the target system and the controller.
The agent compares this encrypted secret to the encryption of a local secret it shares with the
controller’s host. If the secrets do not match, the call is not authenticated and it fails.
Secrets are stored by host name in the secrets file and are used to establish trust between two
systems. The controller selects a secret in the file that corresponds with the host name of the system
on which it is running. The agent, upon receipt of an RPC from the controller, looks up a secret
associated with the controller’s host.
For example, if the controller is running on alma.fc.hp.com and makes a request of an agent
running on lehi.fc.hp.com, each of the two processes will look up the secret associated with
alma.fc.hp.com (the controller’s host) from their respective secrets file.
Here is an example of the format of the shared secrets file:
default quicksilver
lehi.fc.hp.com s28ckjd9
alma.fc.hp.com 32hwt
newdist.fc.hp.com zztop
noway.fc.hp.com daisey
The first column represents the controller’s host name and the second column represents the
controller’s secret.
There is also a provision for a default secret (quicksilver in the example above), to be used
when no system name match is found in the secrets file. The entry is identified with the default
pseudo-host name. This entry allows open SD-UX interconnect between hosts sharing the same
default entry. SD-UX is shipped with the secret -sdu- that should be changed for your site.
When you change a host’s secret, make sure you change it in the secrets files of all hosts with
which you work. The secrets file may be produced in a single site, then copies distributed to all
participating hosts.
NOTE: The secrets discussed here does not grant any access to SD-UX objects, but do allow a
host to participate in SD-UX operations.
RPC Authorization
This section discusses how agents handle controller requests, local superuser authorization, depot
registration, and daemon/agent security
RPC Authorization 159