Re: Security Catalog (427 Views)
Reply
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 1 of 22 (427 Views)

Security Catalog

Guys: Need a NON-ftp url from which to download the latest security_catalog.gz for the SWA app.

Unfortunately, my workplace disallows FTP and I'd rather not have to sneakernet/email the catalog to/from my home PC.

Anybody?

Thanks.
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 22 (427 Views)

Re: Security Catalog

Shalom,

Download it to a pc and use SFTP to place the file on your HP-9000 system. The file can be grabbed by a Linux box using wget.

If http is allowed wget can be installed on the HP-UX system

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 3 of 22 (427 Views)

Re: Security Catalog

No SFTP, NO FTP, NO anything but http OR https. Everything but http/s has been disallowed.

If I have to, I'll do it while eating supper at home... looks like once again, HP's made it near impossible for restrictive workplaces to get to the update info.

Honored Contributor
Ivan Krastev
Posts: 2,156
Registered: ‎06-25-2006
Message 4 of 22 (427 Views)

Re: Security Catalog

Latest security_catalog.xml.gz from ftp://ftp.itrc.hp.com/export/patches/ is about 1MB in size.
If you have mail enabled try to mail it to the server.

regards,
ivan
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 5 of 22 (427 Views)

Re: Security Catalog

What I need is the URL for the HTTPS site that HP refers to in its docs when it refers to the way the pactch check tool retrieves the security catalog. Every doc page I've read on this site refers to the https url, but none of them go so far as to actually GIVE the url outright.

An FTP solution is NG for me... I really don't want to take my work home w/me...
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 6 of 22 (427 Views)

Re: Security Catalog

Must be a slow day for informative answers.

If the only access to this $#^^&%$ is via FTP, It's a VERY POOR solution on HP's part.

Better luck next time, I guess.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 7 of 22 (427 Views)

Re: Security Catalog

John,

We changed the default from ftp to https in 2004 (for Security Patch Check). http has also been available. If you had set an ftp proxy, SPC would have still tried ftp as a protocol, but it also supported http_proxy and https_proxy.

The new tool, SWA, doesn't use security_catalog.gz. Instead, it uses swa_catalog.xml.gz. Again, the default is https, with http and ftp URLs available as documented in the man page.

Now, the real problem you'll run into is downloading the patches. Unfortunately, ftp is still used for that step (with integrity verified based on md5sums in the catalog). If you want to use the automatic download features, we can dive into some more details there on how to make that work (and I can file an enhancement to make it easier).

What is your plan for downloading the patches once you know which ones you need?

Also, if you need the URL to the swa catalog, I can go look it up in the man page and get back to you...but I hope that swa will just work (with appropriate proxy settings for your environment)

Really, we did try to support everything from automated to sneakernet, and we want to know if it doesn't work in your environment. We'd expect sneakernet to be a bit more difficult, but you don't need sneakernet when you've got https/http.

Hope that helps. Oh...and sorry for the delay, but some of us sleep during our night times :)

-Keith
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 8 of 22 (427 Views)

Re: Security Catalog

Keith,

Auto-downloads are out of the question. No comm is available outside of VPN access to predefined, business only connections.

We've automated the check, however no ftp connections are allowed. Period. HTTP/S only.

If FTP is the only way to get at this stuff, then I will have to continue to acquire the catalog from my home computer. Not that I mind much, I'd just rather not work at home on anything work related.

If I can get to archives og the catalog via HTTP/S, there's no reason why HP shouldn't make the latest available this way as well.

Man pages are also disallowed where I work... the IT Director is a "Windows" guy who thinks they're a waste of diskspace. I went to docs.hp.com and didn't see the url. I'll have to do so again.

It's just another inconvenience where it's clear to me that HP does not accomodate a customer such as myself/my company.
Regular Advisor
Robert Fritz
Posts: 132
Registered: ‎07-27-2003
Message 9 of 22 (427 Views)

Re: Security Catalog

Hi John,

As Keith mentioned. The catalogs are already available (by default) via http or https. Only the patches themselves are only available via FTP (though with MD5 sums for verification).

I believe Keith is filing an enhancement request for http(s) patch downloads, and there is already understanding in the organization that this needs to be improved.

So sorry that it's not ideal yet, but at least the https catalog piece is in place.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
Acclaimed Contributor
James R. Ferguson
Posts: 21,184
Registered: ‎07-06-2000
Message 10 of 22 (427 Views)

Re: Security Catalog

Hi John:

> Man pages are also disallowed where I work... the IT Director is a "Windows" guy who thinks they're a waste of diskspace.

Holy %$#!:*

Let me guess, your IT "Director" believes that the memory and disk footprints for his favorite thing is small, too. I'd venture to say that perhaps the bloat needed for his favorite stuff consumes all of the otherwise cheap disk available.

This sounds like pretending something doesn't exist by ignoring it. Kill what you don't like, eh?

Regards & Good Luck!

...JRF...
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 11 of 22 (427 Views)

Re: Security Catalog

John,

So, other than the surprising fact that your manager doesn't believe you should have access to documentation (I mean, we all know that it's usually a last resort to read it, but it's definitely helpful to have it when you do...), is there still something that isn't working?

As I read your response, http/https are both allowed, and that's what swa uses by default to get the latest catalog.

Another helpful hint is that a lot of the "documentation" for swa is embedded in the binary, and can be accessed using -? on the command line. -x -? lists all the extended options with descriptions. It's not as complete as the man pages, but it's a start.

Hope that helps.

-Keith
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 12 of 22 (427 Views)

Re: Security Catalog

OK... guys! Last reply... Yes... the "boss" of the month thinks exactly that. Also, all he had to do was read (somewhere) that some MAN pages were (at some point) system vulnerabilities (once again, I don't know where) and that was enough for him.

The http/s thing... the machines are in a VPN that (believe it or not, RIPLEY!!!) disallows comm with anything other than what's allowed by the VPN rules (established via a network router), IE: No connection to anything but other machines within the VPN definition... Even further, browsers are outlawed!?! Don't ask me, I just work for the "boss-of-the-month" club.

So the only method I have of getting the catalog is via my work PC... and yes, you've probably already guessed by now... FTP is disallowed due to too many people downloading everything from screen savers to IM applcations. Talk about being locked down. This can sometimes seem like a Triple-Max Prison. Good thing I'm a contractor and only have to put up with any given assignment for so long... this one's going to be over before Xmas.

Whew! Got to get back to the Russian Front! There's a war to fight out there... and I can hear the bombs going off in the distance!
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 13 of 22 (427 Views)

Re: Security Catalog

John,

Makes more sense now. Here's the URL (copied from the man page):
https://ftp.itrc.hp.com/wpsl/bin/doc.pl/screen=wpslDownloadPatch/swa_catalog.xml.gz?PatchName
=/export/patches/swa_catalog.xml.gz


We are working on a shorter, more memorable URL, but this is the best I can do for now.

We will also work on publishing the man pages on the web so you can read them from your PC...

Hope that helps.

-Keith
Acclaimed Contributor
Dennis Handly
Posts: 25,188
Registered: ‎03-06-2006
Message 14 of 22 (427 Views)

Re: Security Catalog

(You might want to reopen this thread and assign some points.)

>Man pages are also disallowed where I work. I went to docs.hp.com

You should be able to find them easily, 11.31: (perhaps not for SWA?)
http://docs.hp.com/en/B2355-60130/index.html

>all he had to do was read (somewhere) that some MAN pages were (at some point) system vulnerabilities (once again, I don't know where) and that was enough for him.

Is he thinking about the .sy nroff command and the linker man pages? There should be a 11.23 patch out soon that changes to use absolute paths for commands.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 15 of 22 (427 Views)

Re: Security Catalog

FYI, we have added the SWA man pages to the appendix of the SWA Admin Guide, so you can access them with your web browser:

http://docs.hp.com/en/5992-2903/apa.html

Hope that helps.
Acclaimed Contributor
James R. Ferguson
Posts: 21,184
Registered: ‎07-06-2000
Message 16 of 22 (427 Views)

Re: Security Catalog

Hi (again):

>Keith: FYI, we have added the SWA man pages to the appendix of the SWA Admin Guide, so you can access them with your web browser.

Keith, that's really a nice documentation touch and very much appreciated since it puts a web version of the manpages in a place where one is likely to want to look.

John, you ought to re-open this thread and give Keith the credit he deserves :-)

Regards!

...JRF...
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 17 of 22 (427 Views)

Re: Security Catalog

Guys... I'm really getting very annoyed at this point. You guys are not listening to what I am saying. You can't be, otherwise we wouldn't still be talking about the HP URL as it currently exists.

Let's revisit... I CAN NOT get to ANYTHING as HP has it published! It's EXTREMELY USELESS TO ME AT THIS POINT. IT'S WORTHLESS!

Keith: Here's the result of selecting the URL from the man page that you left... see attached.

I don't understand WHY no one is catching on to the fact that ANY URL THAT CONTAINS

FTP

DOES NOT WORK.

HP... IF YOU ARE LISTENING CAN UNDERSTAND WHAT I'M SAYING...

DROP THE FTP and GIVE ME A URL THAT CONTAINS ONLY HTTP or HTTPS. ANY FTP reference in the URL will FAIL ANY CONNECTION.

GET RID OF THE FTP!!!!!!!!!!!!!!!!!!!

GET RID OF THE FTP!!!!!!!!!!!!!!!!!!!

GET RID OF THE FTP!!!!!!!!!!!!!!!!!!!

And now, PLEASE check what I have attached. SEE FOR YOURSELF.

Resolve this AS ABOVE and I'll reopen to give credit where it is due.

OK... UNFORTUNATELY, this site once again is the root of another problem since it has restricted my ability to attach a doc >1MB. HP, get with it. DISK IS CHEAP.

Anyone who has an interest in seeing the attachment so that we can get this defective process fixed, contact me and I'll send it directly to you.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 18 of 22 (427 Views)

Re: Security Catalog

John,

The following URL uses the https protocol (which you said was fine from your PC, even though we still haven't solved the direct from HP-UX server problem). If the hostname "ftp" is giving you problems, let me know and we'll see what we can do about that...but I'm still thinking you're talking about the ftp PROTOCOL being disallowed, which is not used by this URL?

https://ftp.itrc.hp.com/wpsl/bin/doc.pl/screen=wpslDownloadPatch/swa_catalog.xml.gz?
PatchName=/export/patches/swa_catalog.xml.gz

As for the man pages, I still hope they are useful to you online, even if we're talking past each other on this particular problem.

Hope this helps...

-Keith
Acclaimed Contributor
Dennis Handly
Posts: 25,188
Registered: ‎03-06-2006
Message 19 of 22 (427 Views)

Re: Security Catalog

>Here's the result of selecting the URL from the man page that you left

If you can't attach it, could you cut&paste or at least describe what you see?

I assume you were able to glue the parts of the split URL?

>ANY FTP reference in the URL will FAIL ANY CONNECTION.

You mean it looks at the "ftp" characters in the name instead of the protocol type?

>Keith: If the hostname "ftp" is giving you problems, let me know and we'll see what we can do about that.

Why would you need to do anything about that? :-)
Just use the IP address and ignore the part about the security certificate not matching for 192.151.52.14.
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 20 of 22 (427 Views)

Re: Security Catalog

Excerpt of the result attached.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 21 of 22 (427 Views)

Re: Security Catalog

Dennis,

Thanks...it was late at night when I wrote that...good point :)

John,

In the screenshot, it looks like you're missing the end of the URL:

=/export/patches/swa_catalog.xml.gz

We are hoping to do something about the length of the URL so I can actually remember it without having to refer back to the man page. (and the length causes some formatting issues in nroff, which could have caused the missing end of the URL...not sure)

Hope that helps.

-Keith
Acclaimed Contributor
Dennis Handly
Posts: 25,188
Registered: ‎03-06-2006
Message 22 of 22 (427 Views)

Re: Security Catalog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.