11 Replies Latest reply: May 17, 2009 10:12 PM by 807567 RSS

    Solaris 10 x86 Update Manager & smpatch errors

    807567
      I've recently installed Solaris 10 on two x86 machines and, even after installing patch 121119-15, I'm having Update Manager and smpatch issues. It appears to be due to certificate troubles.

      I've followed several sets of instructions (including cacaoadm stop/start and registration) and nothing has seemed to work.

      I have successfully connected to:

      # telnet sun.com 80
      # telnet cns-services.sun.com 443
      # telnet getupdates1.sun.com 443
      # telnet a248.e.akamai.net 443

      I have also tried:
      # cacaoadm stop
      # cacaoadm status
      # /usr/lib/cc-ccr/bin/eraseCCRRepository
      # rm /var/scn/persistence/SCN*
      # cacaoadm start

      Reregistering didn't change anything.

      Thanks in advance for everyone's help!


      ~~~~~~~~
      Output of smpatch analyze:

      bash-3.00# smpatch analyze -C patchpro.debug=true
      Effective proxy host : ""
      Effective proxy port : ""
      Effective proxy user : ""
      Last Modified Date read: Wed Dec 31 19:00:00 EST 1969
      ... Submitting download request against a GUUS server
      ... ... Hostname of URL is getupdates1.sun.com
      ... ... Filename of URL is /xml/motd.xml
      ... ... File path portion of URL is /xml/motd.xml
      Defining request header : IF_MODIFIED_SINCE... valueWed Dec 31 19:00:00 EST 1969
      Key 1 : Server = Sun-Java-System-Web-Server/7.0
      Key 2 : Date = Mon, 11 May 2009 20:43:31 GMT
      Key 3 : Content-disposition = attachment; filename=xml/motd.xml
      Key 4 : Content-type = text/xml
      Key 5 : Content-length = 10513
      Key 6 : Set-Cookie = 01SessionID=0xe2849044; path=/
      Last Modified Date value written to /var/sadm/spool/cache/xml/https%3A%2F%2Fgetupdates1.sun.com%2F%2Fmotd.xml.lmd is 0
      Date format for this value: Wed Dec 31 19:00:00 EST 1969
      Last Modified Date file updated : /var/sadm/spool/cache/xml/https%3A%2F%2Fgetupdates1.sun.com%2F%2Fmotd.xml.lmd
      Last Modified Date read: Wed Dec 31 19:00:00 EST 1969
      ... Submitting download request against a GUUS server
      ... ... Hostname of URL is getupdates1.sun.com
      ... ... Filename of URL is /xml/motd.xml
      ... ... File path portion of URL is /xml/motd.xml
      Defining request header : IF_MODIFIED_SINCE... valueWed Dec 31 19:00:00 EST 1969
      Key 1 : Server = Sun-Java-System-Web-Server/7.0
      Key 2 : Date = Mon, 11 May 2009 20:43:31 GMT
      Key 3 : Content-disposition = attachment; filename=xml/motd.xml
      Key 4 : Content-type = text/xml
      Key 5 : Content-length = 10513
      Key 6 : Set-Cookie = 01SessionID=0xfb9fa105; path=/
      Last Modified Date value written to /var/sadm/spool/cache/xml/https%3A%2F%2Fgetupdates1.sun.com%2F%2Fmotd.xml.lmd is 0
      Date format for this value: Wed Dec 31 19:00:00 EST 1969
      Last Modified Date file updated : /var/sadm/spool/cache/xml/https%3A%2F%2Fgetupdates1.sun.com%2F%2Fmotd.xml.lmd
      Effective proxy host : ""
      Effective proxy port : ""
      Effective proxy user : ""
      ... Submitting download request against a GUUS server
      ... ... Hostname of URL is getupdates1.sun.com
      ... ... Filename of URL is /database/current2.zip
      ... ... File path portion of URL is /database/current2.zip
      Effective proxy host : ""
      Effective proxy port : ""
      Effective proxy user : ""
      ... Submitting download request against a GUUS server
      ... ... Hostname of URL is getupdates1.sun.com
      ... ... Filename of URL is /detector/detectors.jar
      ... ... File path portion of URL is /detector/detectors.jar
      Defining request header : IF_MODIFIED_SINCE... valueWed Dec 31 19:00:00 EST 1969
      Defining request header : IF_MODIFIED_SINCE... valueWed Dec 31 19:00:00 EST 1969
      Failure: Cannot connect to retrieve current2.zip: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      ~~~~~~~~~~~~~~~~~~~~~~
      Output of suc.sh:
      bash-3.00# ./suc.sh

      User: root
      Logname: root
      Mon May 11 16:44:15 EDT 2009
      opc-sec-fimdev3


      smpatch settings:

      patchpro.backout.directory "" ""
      patchpro.baseline.directory - /var/sadm/spool
      patchpro.download.directory /var/sadm/spool /var/sadm/spool
      patchpro.install.types - rebootafter:reconfigafter:standard
      patchpro.patch.source - https://getupdates1.sun.com/
      patchpro.patchset current2 current2
      patchpro.proxy.host "" ""
      patchpro.proxy.passwd **** ****
      patchpro.proxy.port "" 8080
      patchpro.proxy.user "" ""


      smpatch analyze:

      Failure: Cannot connect to retrieve current2.zip: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


      Entitlement:

      Solaris10Security
      SolarisSecurityUpdates
      SolarisDataIntegrityUpdates
      SolarisHardwareUpdates
      SolarisUtilityUpdates
      Public
      Solaris10
      SolarisAllUpdates
      ContractRequired


      Sun UC patch revision:

      119789-09
      120336-04
      121082-06
      121119-13
      121119-15
      121454-02
      123004-03
      123006-07
      123631-03
      123896-05
      124187-07


      Solaris release:

      Solaris 10 10/08 s10x_u6wos_07b X86
      Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
      Use is subject to license terms.
      Assembled 27 October 2008


      Solaris Kernel: Generic_137138-09
      Machine Type: i86pc
      Platform: i86pc


      Java -version:

      java version "1.5.0_16"
      Java(TM) Platform, Standard Edition for Business (build 1.5.0_16-b02)
      Java HotSpot(TM) Client VM (build 1.5.0_16-b02, mixed mode, sharing)


      Cacao Java version:

      java-home=/usr/jdk/jdk1.5.0_16


      Software Cluster:

      CLUSTER=SUNWCall


      All ccr properties:

      20:
      Property not defined: 20

      cns.assetid:
      8kh0OIj4ADe5LdHlrU88bic3Lps=

      cns.br.SunUCenabled:
      true

      cns.ccr.keyGenPath:
      /usr/lib/cc-ccr/bin/ccrKeyGen

      cns.clientid:
      a1b19f4d-37db-446f-9707-181b8e47f0d6

      cns.httpproxy.auth:


      cns.httpproxy.ipaddr:


      cns.httpproxy.port:


      cns.patchsvr.cachelocation:
      /var/sadm/spool/patchsvr

      cns.patchsvr.patchsource:
      https://getupdates.sun.com

      cns.regtoken:
      1c230c7b-4d6c-43f8-9802-c2c89f96493d:1269820800000:T

      cns.security.password:
      IJ3RI+p/Cb9M2qyVpqnw7ycp6tXQkSGkhIT/D/0KiPtH

      cns.security.privatekey:
      -----BEGIN ENCRYPTED PRIVATE KEY-----
      REMOVED
      -----END ENCRYPTED PRIVATE KEY-----


      cns.security.publickey:
      -----BEGIN PUBLIC KEY-----
      REMOVED
      -----END PUBLIC KEY-----


      cns.swup.UMautolaunch:
      false

      cns.swup.autoAnalysis.enabled:
      true

      cns.swup.checkinInterval:
      2

      cns.swup.lastCheckin:
      0

      cns.swup.patchbaseline:
      current

      cns.swup.regRequired:
      true

      cns.transport.serverurl:
      https://cns-transport.sun.com



      patchsvr settings:

      Patch source URL: https://getupdates.sun.com
      Cache location: /var/sadm/spool/patchsvr


      Sun UC package status:

      SUNWbreg not installed
      SUNWdc not installed
        • 1. Re: Solaris 10 x86 Update Manager & smpatch errors
          807567
          Try adding patches 121082-08 and 123896-10 before trying again. Also make the change below if you have Java 1.6.0_10 or above installed on the system:

          Look for the following command:
          java -version:1.5+

          In the following files:
          /usr/sbin/pprosvc
          /usr/bin/updatemanager

          Change the command to:
          java -version:1.5*
          • 2. Re: Solaris 10 x86 Update Manager & smpatch errors
            807567
            I added patch 121082-08 and 123896-10 and modified the entries in /usr/sbin/pprosvc and /usr/bin/updatemanager.

            I am now unable to register the system using the Registration Wizard or sconadm (Invalid Sun Online credentials which I know are correct).

            Also, smpatch analyze exits with a timeout.

            ~~~~~reginfo.txt~~~~~~
            userName=[obfuscated]
            password=[obfuscated]
            hostName=
            subscriptionKey=
            portalEnabled=false
            proxyHostName=
            proxyPort=
            proxyUserName=
            proxyPassword=

            sconadm register -a -r /tmp/reginfo.txt
            ~~~~~basicreg.log~~~~~
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.BasicReg loadPropertiesFromHomeDir
            INFO: properties file loaded from the default config.properties
            May 12, 2009 11:46:53 AM com.sun.scn.util.Utils getLocalHostNames
            INFO: get hostname 172.28.121.3
            May 12, 2009 11:46:53 AM com.sun.scn.util.Utils getLocalHostNames
            INFO: first returned hostname 172.28.121.3
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.cacao.NetworkProxyCacaoAdapter setProxy
            INFO: SCNNetworkProxyConfigMBean.setHost() = null
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.cacao.NetworkProxyCacaoAdapter setProxy
            INFO: SCNNetworkProxyConfigMBean.setPort() = null
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.cacao.NetworkProxyCacaoAdapter setProxy
            INFO: SCNNetworkProxyConfigMBean.setUser() = null
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.cacao.NetworkProxyCacaoAdapter setProxy
            INFO: SCNNetworkProxyConfigMBean.setPassword() = null
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.BasicRegCLI printRegistrationProfile
            INFO: userName = [obfuscated]
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.BasicRegCLI printRegistrationProfile
            INFO: password = *****
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.BasicRegCLI printRegistrationProfile
            INFO: hostName =
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.BasicRegCLI printRegistrationProfile
            INFO: subscriptionKey = ********
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.BasicRegCLI printRegistrationProfile
            INFO: portalEnabled =false
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.BasicRegCLI run
            INFO: Authenticating user ...
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter getSCNClientSession
            INFO: CREATING SCNClientSession
            May 12, 2009 11:46:53 AM com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter$LoginAccountCallbackHandler handle
            INFO: account callback setting username: [obfuscated]
            May 12, 2009 11:47:14 AM com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter loginAccount
            SEVERE: Error: login account exception: AccessDeniedFault
            May 12, 2009 11:47:14 AM com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter loginAccount
            SEVERE:
            com.sun.scn.jmx.impl.UISClientLoginModule.login(UISClientLoginModule.java:216)
            sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            java.lang.reflect.Method.invoke(Method.java:585)
            javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
            javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
            javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
            java.security.AccessController.doPrivileged(Native Method)
            javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
            javax.security.auth.login.LoginContext.login(LoginContext.java:575)
            com.sun.scn.jmx.impl.UISClientLogin.login(UISClientLogin.java:201)
            sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            java.lang.reflect.Method.invoke(Method.java:585)
            com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)
            javax.management.StandardMBean.invoke(StandardMBean.java:323)
            com.sun.jmx.mbeanserver.DynamicMetaDataImpl.invoke(DynamicMetaDataImpl.java:213)
            com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
            com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
            com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
            com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:203)
            com.sun.cacao.agent.DispatchInterceptor.invoke(DispatchInterceptor.java:783)
            com.sun.cacao.agent.auth.impl.AccessControlInterceptor.invoke(AccessControlInterceptor.java:638)
            com.sun.jdmk.JdmkMBeanServerImpl.invoke(JdmkMBeanServerImpl.java:764)
            com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.invoke(InstrumDefaultForwarder.java:126)
            javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1410)
            javax.management.remote.rmi.RMIConnectionImpl.access$100(RMIConnectionImpl.java:81)
            javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1247)
            java.security.AccessController.doPrivileged(Native Method)
            javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1350)
            javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:784)
            sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            java.lang.reflect.Method.invoke(Method.java:585)
            sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
            sun.rmi.transport.Transport$1.run(Transport.java:153)
            java.security.AccessController.doPrivileged(Native Method)
            sun.rmi.transport.Transport.serviceCall(Transport.java:149)
            sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
            sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
            java.lang.Thread.run(Thread.java:595)

            May 12, 2009 11:47:14 AM com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter getLoginResult
            INFO: SCN Fault: AccessDeniedFault
            May 12, 2009 11:47:14 AM com.sun.cns.basicreg.BasicRegCLI run
            SEVERE: Sun On-line Account authentication failed
            ~~~~~~~~~~~~
            • 3. Re: Solaris 10 x86 Update Manager & smpatch errors
              807567
              In case it helps, here's a new suc.sh...

              ~~~~~~such.sh~~~~~~~~~~~~~
              User: root
              Logname: root
              Tue May 12 11:56:27 EDT 2009
              [obfuscated]


              smpatch settings:

              patchpro.backout.directory "" ""
              patchpro.baseline.directory - /var/sadm/spool
              patchpro.download.directory /var/sadm/spool /var/sadm/spool
              patchpro.install.types - rebootafter:reconfigafter:standard
              patchpro.patch.source - https://getupdates1.sun.com/
              patchpro.patchset current2 current2
              patchpro.proxy.host - ""
              patchpro.proxy.passwd **** ****
              patchpro.proxy.port - 8080
              patchpro.proxy.user - ""


              smpatch analyze:

              Failure: Cannot connect to retrieve detectors.jar: Read timed out


              Entitlement:

              Solaris10Security
              SolarisSecurityUpdates
              SolarisDataIntegrityUpdates
              SolarisHardwareUpdates
              SolarisUtilityUpdates
              Public
              Solaris10
              SolarisAllUpdates
              ContractRequired


              Sun UC patch revision:

              119789-09
              120336-04
              121082-06
              121082-08
              121119-13
              121119-15
              121454-02
              123004-03
              123006-07
              123631-03
              123896-05
              123896-10
              124187-07


              Solaris release:

              Solaris 10 10/08 s10x_u6wos_07b X86
              Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
              Use is subject to license terms.
              Assembled 27 October 2008


              Solaris Kernel: Generic_137138-09
              Machine Type: i86pc
              Platform: i86pc


              Java -version:

              java version "1.5.0_16"
              Java(TM) Platform, Standard Edition for Business (build 1.5.0_16-b02)
              Java HotSpot(TM) Client VM (build 1.5.0_16-b02, mixed mode, sharing)


              Cacao Java version:

              java-home=/usr/jdk/jdk1.5.0_16


              Software Cluster:

              CLUSTER=SUNWCall


              All ccr properties:

              20:
              Property not defined: 20

              cns.assetid:


              cns.br.SunUCenabled:
              true

              cns.ccr.keyGenPath:
              /usr/lib/cc-ccr/bin/ccrKeyGen

              cns.clientid:


              cns.httpproxy.auth:


              cns.httpproxy.ipaddr:


              cns.httpproxy.port:


              cns.patchsvr.cachelocation:
              /var/sadm/spool/patchsvr

              cns.patchsvr.patchsource:
              https://getupdates1.sun.com/

              cns.regtoken:


              cns.security.password:


              cns.security.privatekey:


              cns.security.publickey:


              cns.swup.UMautolaunch:
              false

              cns.swup.autoAnalysis.enabled:
              true

              cns.swup.checkinInterval:
              2

              cns.swup.lastCheckin:
              0

              cns.swup.patchbaseline:
              current

              cns.swup.regRequired:
              true

              cns.transport.serverurl:




              patchsvr settings:

              Patch source URL: https://getupdates1.sun.com/
              Cache location: /var/sadm/spool/patchsvr


              Sun UC package status:

              SUNWbreg not installed
              SUNWdc not installed
              • 4. Re: Solaris 10 x86 Update Manager & smpatch errors
                807567
                I read a few thread and learned there are errors regarding Usernames conflicting with email addresses. I updated my email address and used it as the Username in the Update Manager and managed to get a little further.

                I am able get past the first login screen, but I receive the message 'Error in SCN/Cacao Update Liscense' in a pop-up window.
                • 5. Re: Solaris 10 x86 Update Manager & smpatch errors
                  807567
                  Try removing the entries below from the registration profile and try to register with sconadm again. If it still fails and you have an alternative Sun Online Account, it may be worth trying to register using that.

                  hostName=
                  portalEnabled=false
                  • 6. Re: Solaris 10 x86 Update Manager & smpatch errors
                    807567
                    After making the modifications you suggested I was able to register with sconadm. I still receive an error when the Update Manager tries to retrieve current2.zip.

                    Failure: Cannot connect to retrieve detectors.jar: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
                    • 7. Re: Solaris 10 x86 Update Manager & smpatch errors
                      807567
                      To ensure a sane environment, run these two commands and try to register again:

                      # smpatch unset patchpro.backout.directory
                      # find /var/sadm/spool/cache -type f -exec rm {} \;

                      If it still fails, check that the value in the file /usr/lib/patch/com/sun/patchpro/conf/Config.properties is as shown below.
                      [...]
                      patchpro.security.patch.signingcert.alias.default=patchsigning:patchsigning2:patchsigning3
                      [..]

                      Also make sure the cacerts checksum is:

                      # cksum /usr/lib/patch/cacerts
                      3178306627 9373 /usr/lib/patch/cacerts

                      If either of the two checks above fail, then 121119-15 probably did not apply correctly. Try backing it out and re-apply.

                      Also, can you confirm if you have any version of Java 1.6 installed?
                      • 8. Re: Solaris 10 x86 Update Manager & smpatch errors
                        807567
                        I ran the smpatch and find/rm commands and re-registered successfully.

                        The values in /usr/lib/patch/com/sun/patchpro.conf/Config.properties match the ones you listed.

                        The checksum for cacerts matches your values.

                        I backed out the 121119-15 patch and reinstalled it anyway, same results: I can register but smpatch analyze fails.
                        • 9. Re: Solaris 10 x86 Update Manager & smpatch errors
                          807567
                          Sorry, I forgot to mention that I do not have Java 1.6 installed (that I know of). It's a new, base Solaris 10 installation.
                          • 10. Re: Solaris 10 x86 Update Manager & smpatch errors
                            807567
                            Please can you run the suc.sh script again and supply the output.
                            • 11. Re: Solaris 10 x86 Update Manager & smpatch errors
                              807567
                              The problem may be related to the trusted keystore rather than the certificates being used on the system. I think the easiest method to resolve this would be to restore the previous ccr settings (or re-register the system) and then use a utility to import the keys from getupdates1.sun.com as follows:

                              * Download the attached file (InstallCert.java) and save it to your system.
                              * Compile the program:
                              # javac InstallCert.java
                              * Run the program:
                              # java InstallCert getupdates1.sun.com

                              This will probably produce the same PKIX error that you have been seeing and
                              then produce a list of keys (should be three keys) from getupdates1.sun.com,
                              each of which should be imported (you will need to run the program 3 times in
                              total).

                              More details about the program can be found here:
                              http://blogs.sun.com/andreas/entry/no_more_unable_to_find

                              Thanks