Software Distributor (SD-UX) Administration Guide HP-UX 11i v1, 11i v2, and 11i v3 (762797-001, March 2014)
Table Of Contents
- Software Distributor Administration Guide
- Contents
- HP secure development lifecycle
- About This Document
- 1 Introduction to Software Distributor
- SD-UX Overview
- SD-UX Concepts
- Using the GUI and TUI Commands
- The Terminal User Interface
- Starting the GUI/TUI Commands
- Window Components
- Opening and closing items in the object list
- Marking Items in the Object List
- Preselecting Host Files
- Software Selection Window
- Session and File Management—The File Menu
- Changing Software Views—The View Menu
- Changing Options and Refreshing the Object List—The Options Menu
- Performing Actions—The Actions Menu
- Getting Help—The Help Menu
- XToolkit Options and Changing Display Fonts
- Working from the Command Line
- 2 Installing Software
- Installation with swinstall
- Features and Limitations
- Installing with the GUI
- Installing from the Command Line
- Installation Tasks and Examples
- Updating to HP-UX 11i
- Installing Patches
- Recovering Updated Files
- Installing Software That Requires a System Reboot
- Using Software Codewords and Customer IDs
- Re-installing Software Distributor
- Installing Multiple Versions
- Installing to an Alternate Root
- Compatibility Filtering and Checking
- Software Selection Checking
- Configuring Your Installation (swconfig)
- Verifying Your Installation (swverify)
- Installation with swinstall
- 3 Managing Installed Software
- 4 Managing Software Depots
- Depot Management Commands and Concepts
- Copying Software Depots
- Registering and Unregistering Depots (swreg)
- Verifying Signed Software Signatures
- Additional Depot Management Tasks and Examples
- Combining Patch Depots
- Creating a Tape Depot for Distribution
- Setting Depot Attributes
- Creating a Network Depot
- Managing Multiple Versions of HP-UX
- Listing Registered Depots
- Listing the Contents of a Depot (swlist -d)
- Source Depot Auditing
- Verifying a Depot (swverify -d)
- Removing Software from Depots
- Removing a Depot
- 5 HP-UX Patching and Patch Management
- 6 Using Jobs and the Job Browser
- 7 Remote Operations Overview
- 8 Reliability and Performance
- 9 SD-UX Security
- 10 Creating Software Packages
- Overview of the Packaging Process
- Identifying the Products to Package
- Adding Control Scripts
- Creating a Product Specification File (PSF)
- Product Specification File Examples
- PSF Syntax
- PSF Object Syntax
- Selecting the PSF Layout Version
- PSF Value Types
- Product Specification File Semantics
- Re-Specifying Files
- Packaging the Software (swpackage)
- Packaging Tasks and Examples
- Registering Depots Created by swpackage
- Creating and Mastering a CD-ROM Depot
- Compressing Files to Increase Performance
- Packaging Security
- Repackaging or Modifying a Software Package
- Packaging In Place
- Following Symbolic Links in the Source
- Generating File Revisions
- Depots on Remote File Systems
- Verifying the Software Package
- Packaging Patch Software
- Writing to Multiple Tapes
- Making Tapes from an Existing Depot
- 11 Using Control Scripts
- Introduction to Control Scripts
- General Script Guidelines
- Packaging Control Scripts
- Using Environment Variables
- Execution of Control Scripts
- Execution of Other Commands by Control Scripts
- Control Script Input and Output
- File Management by Control Scripts
- Testing Control Scripts
- Requesting User Responses (swask)
- Request Script Tasks and Examples
- 12 Nonprivileged SD
- A Command Options
- B Troubleshooting
- Error Logging
- Common Problems
- Cannot Contact Target Host’s Daemon or Agent
- GUI Won’t Start or Missing Support Files
- Access To An Object Is Denied
- Slow Network Performance
- Connection Timeouts and Other WAN Problems
- Disk Space Analysis Is Incorrect
- Packager Fails
- Command Logfile Grows Too Large
- Daemon Logfile Is Too Long
- Cannot Read a Tape Depot
- Installation Fails
- swinstall or swremove Fails With a Lock Error
- Use of Square Brackets ([ and ]) Around an IPv6 Address Causes an Error
- Some SD commands do not work after network configuration changes
- C Replacing or Updating SD-UX
- D Software Distributor Files and File System Structure
- Glossary
- Index
1. Establish the group swadm on the controller host as described above.
2. Edit the three host ACLs on each target system. If you used the suggested setup discussed in
“Setting Up Remote Operations” (page 121) to install the agents on the target systems, you
may edit the three host ACLs on the Targets as superuser on the system from which you
performed setup:
swacl -l host \
-M group:swadm@`hostname`:a @ remsys1. . .remsysN
swacl -l global_soc_template \
-M group:swadm@`hostname`:a @ remsys1. . .remsysN
swacl -l global_product_template \
-M group:swadm@`hostname`:a @ remsys1. . .remsysN
You may want to grant permissions to specific users to manage particular products on the primary
depot. For example, user ramon may be assigned responsibility to manage the ALLBASE product
on your depot, installing new versions and patches when they become available. To add ramon
to the ACL for ALLBASE on the local depot and grant him all permissions on that one product, run
the command:
swacl -l product -M user:ramon:a ALLBASE
At the same time, you may want to eliminate the ACL entry for group swadm for the same product:
swacl -l product -D group:swadm ALLBASE
Security in Local Distributions
Host administrators may grant permission to individual users or groups, trusted at the local host,
to administer software locally. Trusted local users have root ACL entries granting insert and write
permissions. At the source depot, access to all software products is allowed by unrestricted read
access to hosts, depots, and products. This is the basis of a pull model of software distribution.
Restricting Installation to Specific Target Systems by Specific Users
Managers of software source depots may leave software openly installable, as described above,
or may choose to limit distribution to specific systems. ACLs protecting source depot products may
contain entries that restrict product read access to only specified systems, allowing installation only
to those systems. This restriction applies to both the push and pull models.
Below is a sample product ACL that restricts read permission to systemA and systemB and grants
all permissions to user swadm:
user:swadm:rwict
host:systemA.loc.company.com:r
host:systemB.fc.hp.com:r
Security for Software Developers
Software developers iteratively package their products and test them before distribution. This
involves packaging products into depots and installing them to Roots for testing. Since it may
require several iterations to get all the customization right, it is not helpful to prevent software
developers from having free access to depots and Roots for this testing.
You should also not have products that are being tested, coming and going on wide-use depots
and roots. They might accidentally be installed or used before they are ready.
The recommended method of development is to provide one or more development depots and
roots for testing purposes, each with protections customized to meet the needs of the development
group using them. To this end, the default ACL template mechanism described previously is handy,
since products come and go quickly.
A host administrator (someone with insert permission on the host) should create the test depot for
developers, then assign a depot administrator and edit the depot ACL to grant that person control
(ACL edit) permission on the depot. The depot’s product ACL template should then be set up so
162 SD-UX Security