SWA is a great tool to analyze installed patches and products and then return a catalog which is used to create new patch recommendations. However, some of the information about each server can be considered to be private and thus, a secure method for uploading and downloading is required. This is handled with root certificate authorities. HP and Verisign have agreed to upgrade their certificates from 1024 bits to 2048 bits. If you were able to run SWA and connect to the patch analysis site in the past, you may now be receiving errors like this:
ERROR: Failed to access authorization service.
However, SWA is very dependent on the underlying Java JRE code so the installed version on your HP-UX system must be JRE 5 >= 1.5.0.20.00 or JRE 6 >= 1.6.0.07.00. In some cases, installing or upgrading to either of these versions is the easiest solution and you can download the latest versions from http:///service-it-direct.s7.devpreviewr.com.hp.com/go/java. As of the date of this document, the latest versions are JRE 5 version 1.5.0.24 and JRE 6 version 1.6.0.12 — which meet the minimum requirement. Check to see if the new certificate is already installed:
# /opt/java6/jre/bin/keytool -list -keystore /opt/java6/jre/lib/security/cacerts -storepass changeit | grep –i –e “3C:48:42:0D:FF:58:1A:38:86:BC:FD:41:D4:8A:41:DE”
Certificate fingerprint (MD5): 3C:48:42:0D:FF:58:1A:38:86:BC:FD:41:D4:8A:41:DE
Now if the Certificate fingerprint was not found (no output from the grep
command) then the new certificate has not been installed. To install the latest certificate:
- Go to the VeriSign web site: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=SO14649#Secure_Site
- Verify that the certificate box is titled: VeriSign Class 3 Secure Server CA – G3There are several certificates similarly titled. The serial number must be compared in a later step:
Serial Number: 6e cc 7a a5 a7 03 20 09 b8 ce bc f4 e9 52 d4 91 - Copy the contents in the box including —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–
- Using vi on the HP-UX system, create a file called CA-V3C3Gint which should be owned by root and (recommended) stored in /etc/CA-V3C3Gint.This file will only be needed once to install the certificate, so it can be removed after the certificate is functional.
- Verify that the certificate is not corrupted and has the correct MD5 Fingerprint (not the serial number):# openssl x509 -in CA-V3C3Gint -fingerprint -md5
MD5 Fingerprint=3C:48:42:0D:FF:58:1A:38:86:BC:FD:41:D4:8A:41:DE
—–BEGIN CERTIFICATE—–
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
…more…
Now import the certificate into the keystore
# /opt/java6/jre/bin/keytool -import -trustcacerts -keystore /opt/java6/jre/lib/security/cacerts -storepass changeit -file CA-V3C3Gint -alias “VeriSign Class 3 Public Primary CA – G3” - If you imported the wrong certificate, repeat the above keytool command but change -import to -delete.
Test SWA to see that it can now contact the patch analysis system: swa report
– See more at: http://serviceitdirect.com/blog/new-hp-certificates-swa#sthash.jb1c11lL.dpuf
Tags: HP-UX