HP-UX Software Assistant Administration 
Guide 
HP-UX 11i Systems 
HP Part Number: 5992-6588 
Published: September 2009 
Edition: 7

© Copyright 2007–2009 Hewlett-Packard Development Company, L.P. 
Legal Notices 
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial 
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under 
vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products 
and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as 
constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. UNIX is a registered 
trademark of The Open Group. 
Acknowledgments 
Java is a U.S. trademark of Sun Microsystems, Inc. 
Microsoft and Windows NT are U.S. registered trademarks of Microsoft Corporation.

Table of Contents 
About this Document..........................................................................................................5 
Intended Audience................................................................................................................................5 
Typographic Conventions.....................................................................................................................5 
Related Information...............................................................................................................................5 
Publishing History.................................................................................................................................6 
HP Encourages Your Comments............................................................................................................6 
1 Introducing HP-UX Software Assistant..........................................................................7 
HP-UX SWA Overview..........................................................................................................................7 
SWA Release Notes................................................................................................................................7 
SWA Capabilities...................................................................................................................................7 
SWA Command Structure......................................................................................................................7 
The Major Modes..............................................................................................................................8 
Extended Options.............................................................................................................................9 
SWA Help.........................................................................................................................................9 
2 Installing HP-UX Software Assistant............................................................................11 
Installation Requirements....................................................................................................................11 
Where to Find the SWA Software.........................................................................................................11 
Installing SWA from the Web...............................................................................................................12 
Installing SWA from HP Operating Environment Media....................................................................12 
Installing SWA from HP Applications Media......................................................................................12 
Installing SWA from a Local or Remote Depot.....................................................................................12 
Installing SWA to Use Within HP SIM.................................................................................................12 
Uninstalling SWA from an HP-UX system...........................................................................................13 
3 Quick Start....................................................................................................................15 
Steps to Using SWA.............................................................................................................................15 
Run the Initial Report..........................................................................................................................15 
Review Recommended Actions............................................................................................................16 
Download Patches and Make a Depot..................................................................................................16 
Read the readBeforeInstall.txt file and take appropriate actions............................................17 
Install the Depot...................................................................................................................................17 
Generate a Second Report.....................................................................................................................17 
Put Appropriate Actions in the Ignore File..........................................................................................17 
4 Creating and Interpreting Reports..............................................................................19 
Analysis................................................................................................................................................19 
Report Overview..................................................................................................................................19 
The HTML Report................................................................................................................................20 
The Assessment Profile........................................................................................................................21 
The Action Report................................................................................................................................22 
Patch Bundles.................................................................................................................................22 
Patches............................................................................................................................................22 
Manual Actions...............................................................................................................................22 
The Issue Report..................................................................................................................................23 
Latest Quality Pack Bundle (QPK)..................................................................................................23 
Security Bulletins (SEC)...................................................................................................................24 
Table of Contents 3

Patches that Fix Critical Issues (CRIT).............................................................................................25 
Patches with Warnings (PW)...........................................................................................................25 
Specific Patch (PATCH) and Patch or Recommended Successor (CHAIN)....................................25 
Automatically Invoked Analyzers..................................................................................................25 
The Detail Report.................................................................................................................................26 
5 Networking Options....................................................................................................29 
Using SWA in Secure Network Environments.....................................................................................29 
Using Proxy Servers With Software Assistant................................................................................29 
Using the download_cmd Extended Option..................................................................................29 
Running SWA on a System Without Access to the Internet............................................................30 
6 Running SWA From Within HP SIM...........................................................................31 
Selecting Target Systems.......................................................................................................................31 
Verifying Selected Systems...................................................................................................................32 
Running Your Analysis........................................................................................................................33 
Setting Report Options for SWA in HP SIM....................................................................................33 
Running SWA.................................................................................................................................34 
The Multisystem Summary Report.......................................................................................................35 
A Useful Files and Directories.........................................................................................37 
B Troubleshooting SWA..................................................................................................39 
The swa.log file.................................................................................................................................39 
The swa.conf file...............................................................................................................................39 
Common Errors...................................................................................................................................39 
CRL checking error when getting catalog.......................................................................................39 
Failed to read swa_catalog.xml.......................................................................................................39 
Proxy errors....................................................................................................................................39 
HP SIM Errors Related to SWA.............................................................................................................40 
SWA Installation Error.....................................................................................................................40 
Performance Issues.........................................................................................................................40 
C SWA Manpages..........................................................................................................41 
swa(1M)................................................................................................................................................42 
swa-clean(1M)......................................................................................................................................46 
swa-get(1M).........................................................................................................................................50 
swa-report(1M)....................................................................................................................................57 
swa-step(1M)........................................................................................................................................67 
Glossary...........................................................................................................................81 
Index................................................................................................................................83 
4 Table of Contents

About this Document 
Intended Audience 
This administration guide is for system administrators who maintain the security of HP-UX 
systems. 
This documentation supersedes the obsoleted Security Patch Check (SPC) documentation. See 
HP Security Notice HPSN-2008–001 for more information. 
Administrators are assumed to have in-depth knowledge of HP-UX operating system concepts, 
commands, and configurations. It assumes familiarity with installing HP computer hardware 
and software, upgrading software, applying patches, and troubleshooting system problems. 
Additionally, administrators are expected to have knowledge of Transmission Control 
Protocol/Internet Protocol (TCP/IP) networking concepts. 
Typographic Conventions 
swa(1M) An HP-UX manpage. In this example, “swa” is the manpage 
name and “1M” is the manpage section. 
Book Title Title of a book or other document. 
http://www.docs.hp.com A website address that is a hyperlink to the site. 
command Command name or qualified command phrase. 
user input Commands and other text that you type. 
computer output Text displayed by the computer. 
Enter The name of a keyboard key. Note that Return and Enter 
both refer to the same key. A sequence such as Ctrl-A indicates 
that you must hold down the key labeled Ctrl while pressing 
the A key. 
glossary term A glossary term used for the first time in the text of this 
manual; for example, patch. 
ENV The name of an environment variable. 
errno The name of a program variable. 
value A value that you may replace in a command or function, or 
information in a display that represents several possible 
values. 
Related Information 
For more information regarding SWA, refer to the following sources: 
• The http://www.hp.com/go/swa web page provides the product overview, download links, 
and installation instructions. 
• The HP-UX Software Assistant Release Notes document describes new features and changes 
in the latest version of SWA and is available at http://www.docs.hp.com. 
• The SWA manpages describe the commands and provide examples. The manpages are 
available from the HP-UX command line using the man command and are presented in this 
document in the Appendix C “SWA Manpages” section. 
— swa(1M) 
— swa-clean(1M) 
— swa-get(1M) 
Intended Audience 5

— swa-report(1M) 
— swa-step(1M) 
For information related to SWA, refer to the following. Technical documentation is available at 
http://www.docs.hp.com. 
• The HP IT Resource Center website at http://itrc.hp.com. 
• Patch Management User Guide for HP-UX 11.x Systems 
• HP-UX 11i Version 3 Release Notes (September 2007 and later) 
• HP-UX 11i v3 Installation and Update Guide (September 2007 and later) 
• HP-UX 11i Version 2 Release Notes (June 2007 and later) 
• HP-UX 11i v2 Installation and Update Guide (June 2007 and later) 
Publishing History 
The document printing date and part number indicate the document’s current edition. The 
printing date will change when a new edition is printed. Minor changes may be made at reprint 
without changing the printing date. The document part number will change when extensive 
changes are made. Document updates may be issued between editions to correct errors or 
document product changes. To ensure that you receive the updated or new editions, you should 
subscribe to the appropriate product support service. See your HP sales representative for details. 
You can find the latest version of this document on line at: http://www.docs.hp.com. 
Edition Publication Date 
Number 
Manufacturing Part Supported Operating Systems 
Number 
5992–6588 HP-UX 11i v1, 11i v2, 11i v3 7 September, 2009 
5992–5841 HP-UX 11i v1, 11i v2, 11i v3 6 March, 2009 Fusion Release 
5992–5372 HP-UX 11i v1, 11i v2, 11i v3 5 October, 2008 
5992–4753 HP-UX 11i v1, 11i v2, 11i v3 4 September, 2008 
5992-3930 HP-UX 11i v1, 11i v2, 11i v3 3 March, 2008 
5992-2903 HP-UX 11i v1, 11i v2, 11i v3 2 September, 2007 
5992-0548 HP-UX 11i v1, 11i v2, 11i v3 1 June, 2007 
HP Encourages Your Comments 
HP encourages your comments concerning this document. We are committed to providing 
documentation that meets your needs. Send any errors found, suggestions for improvement, or 
compliments to: 
http://www.docs.hp.com/en/feedback.html. 
Include the document title, manufacturing part number, and any comment, error found, or 
suggestion for improvement you have concerning this document. 
6

1 Introducing HP-UX Software Assistant 
HP-UX SWA Overview 
HP-UX Software Assistant (SWA) is a tool that consolidates and simplifies patch management 
and security bulletin management on HP-UX systems. SWA combines the versatility and power 
of the HP IT Resource Center (ITRC) Patch Assessment and the now obsolete Security Patch 
Check (SPC) utilities, and is the HP-recommended utility to use to maintain currency with 
HP-published security bulletins for HP-UX software. 
SWA can perform a number of checks including applicable security bulletins and installed patches 
with critical warnings. Once an analysis has been performed, you can use SWA to download 
any recommended patches or patch bundles and create a depot ready for installation. 
The SWA tool is new for HP-UX 11i releases as of January 2007. 
SWA Release Notes 
For information on what's new with the latest version of SWA, see the HP-UX Software Assistant 
Release Notes available at the HP Technical Documentation website. 
SWA Capabilities 
SWA's major functions are briefly outlined below. 
Analyze 
SWA runs as a client-side patch and security analysis tool. An HP-supplied catalog file with 
known problems and fixes is downloaded from the HP IT Resource Center (ITRC) and compared 
to the software installed on the system. Depots used for full-system installation, such as the 
installation depot on an OE DVD, may also be analyzed. 
Systems are analyzed for patch warnings, critical defects, security bulletins, missing Quality 
Pack (QPK) patch bundles, and user-specified patches and supersession chains. 
SWA optimizes the automatic selection of patch dependencies by assessing the quality of the 
dependency, providing the best case scenario for the dependency, minimizing changes to the 
system, and assessing future patch dependency changes. 
Report 
SWA is able to generate a variety of reports based on its analysis. Action, Issue, and Detail reports 
are available. A consolidated HTML report with links to the technical knowledge base is always 
created. SWA provides a report used when downloading software from HP, and also reports 
actions that need to be taken manually. 
Download Software from HP 
Based on the analysis, SWA obtains patches from HP and creates a Software Distributor (SD) 
depot of software for installation. 
SWA automatically uses MD5 cryptographic hash to verify patch integrity before unpacking 
downloaded patches. 
SWA Command Structure 
HP-UX Software Assistant is a tool that uses a major mode style interface. 
# swa <major mode> 
SWA has the following major modes: report, get, step, and clean. 
HP-UX SWA Overview 7

Extended options modify each SWA command. They can be specified on the command line or 
saved in a configuration file. 
# swa <major mode> -x <extended_option> 
# swa <major mode> -X <extended_option_config_file> 
Context sensitive help is available for all SWA commands with the -? option. 
# swa <major mode> -? 
The following sections give a brief overview of swa commands. For detailed information, see 
Appendix C (page 41) . 
The Major Modes 
SWA has the following major modes: report, get, step, and clean. 
The major modes report and get are comprised of steps, outlined below. The step mode 
allows you to execute one of these steps. The clean mode frees up disk space by removing 
caches of files from previous SWA sessions. 
Report 
# swa report 
The swa report command is comprised of the following steps, and executes them in the order 
listed. 
Inventory – The swa report command first does an inventory of the installed software. The 
inventory is written to $HOME/.swa/cache/swa_inventory_n.xml. 
Catalog – Then, swa report downloads an HP-supplied catalog file from the ITRC website 
that contains known security issues and other defects along with their solutions. The catalog file 
is saved to $HOME/.swa/cache/swa_catalog.xml. 
Analyze – The inventory file is then compared with the catalog file to see what issues need to 
be resolved on the system, and the resulting analysis file is written to $HOME/.swa/cache/ 
swa_analysis.xml. 
Report – A summary of recommended actions are written to standard output and comprehensive 
results are written to $HOME/.swa/report/swa_report.html. 
Get 
# swa get 
The swa get command is comprised of the steps download and depot, and executes them in 
the order listed. Prerequisites to the swa get command are the steps inventory, catalog, 
and analyze. 
Download – The swa get command uses the results file generated by the analysis step of swa 
report to download the necessary software from HP. Write access to the swcache directory is 
required for this step. 
Depot – The downloaded software is then packaged in a depot. Superuser privileges are required 
for this step. 
Step 
# swa step {inventory | catalog | analyze | report | download | depot} 
The swa report and swa get commands are made up of steps. The swa report command 
is comprised of the steps inventory, catalog, analyze, and report. The swa get command 
is comprised of the steps download and depot. 
With the swa step command, you can execute one discrete step of the swa report or swa 
get command, such as: swa step inventory. 
8 Introducing HP-UX Software Assistant

Clean 
# swa clean {usercache | swcache | all} 
When the swa command runs, it produces cache files for its use. Run swa clean to free up disk 
space after your swa session is complete. 
The swa clean command has modifiers that specify the caches to clean. The modifiers are: 
usercache, swcache, and all. The usercache holds the files created by swa report, and the 
swcache holds the patches and patch bundles downloaded by swa get or swa step download. 
The swcache directory can be set with the extended option swcache. 
NOTE: The usercache generally does not consume much disk space, but the swcache can 
consume a significant amount of disk space. There is a trade-off between removing software 
from the swcache directory and having to repeat a software download. 
Extended Options 
Extended options allow you to tailor SWA behavior to your own specifications as each phase is 
performed: analysis, reporting, and downloading HP software. SWA commands are capable of 
accepting extended options via command line or in an extended options configuration file. 
Precedence of extended options sources are given in the manpages. 
To specify an extended option via command line, use the syntax swa_command -x option. 
To use a configuration file, there are three options: 
• Specify a file on the command line with swa_command -X option_file. 
• Use the $HOME/.swa.conf file. 
• Use the /etc/opt/swa/swa.conf file. 
The SWA manpages document applicable extended options for a command, and the /etc/opt/ 
swa/swa.conf.template file outlines the usage and syntax of each extended option. Be sure 
to read the manpages so you are aware of the extended options' default values associated with 
each command. 
SWA Help 
Use the -? option at any level of a command to get context sensitive information regarding usage 
and available options. For example: 
# swa report -? 
Usage: 
swa report [options] Analyze and report issues and new software 
Where options include: 
-a analyzer One of the analyzers to use <multiple -a options can 
be specified> 
-q Decrease verbosity of output 
-r report_type Set the type of the stdout report 
-s System, depot or existing local inventory file to analyze. 
-v Increase verbosity of output 
-x ext_option=value Set the extended option to value <multiple -x options 
can be specified> 
-X option_file Read extended option settings from this file 
Use "swa report -<option> -?" <e.g. "swa report -x -?"> to get a 
description of options that have arguments 
SWA Command Structure 9

10

2 Installing HP-UX Software Assistant 
To install SWA on HP-UX, you have several options: 
• “Installing SWA from HP Operating Environment Media” (page 12) 
• “Installing SWA from HP Applications Media” (page 12) 
• “Installing SWA from the Web” (page 12) 
• “Installing SWA from a Local or Remote Depot” (page 12) 
• “Installing SWA to Use Within HP SIM” (page 12) 
Installation Requirements 
To install SWA, you will require the following items: 
• A system running an HP-UX 11i Operating Environment. 
• Administrative privileges to install software on the target system. 
• The required applications, described in the table below. They are included in the SWA 
bundle for download. 
Table 2-1 SWA and Required Applications 
Product Name Bundle/Product ID Status 
Required. It supersedes Security 
Patch Check (SPC). 
HP-UX Software Assistant SwAssistant/B6834AA 
Jre14.JRE14,r>=1.4.2.09.04 or Required. 
Jre15.JRE15,r>=1.5.0.02.01 or 
Jre60.JRE60,r>=1.6.0.00.00 
Java Runtime1 
Required. It is included in the 
SWA download from Software 
Depot and on the OE and AR 
media. 
Judy-lib.JUDY-COMMON, 
r>=B.11.11.04.00S 
Judy Libraries 
Required for HP-UX 11i v1 
(B.11.11) only. 
C++ Runtime Library Patch PHSS_22898 
Perl 5 PERL-RUN,r>=B.5.6.1.C Legacy for SPC only. 
1 Java™ is only required for SWA analysis functionality. If you do not want Java on a system, you have the 
following alternatives: 
— Install Java and the full SWA tool on a single system and do all analysis from that system. The SwaMin 
product may be installed on clients that have no network connectivity to the analysis system. 
— Use the SwaMin product to gather inventory and upload to the HP IT Resource Center web site at http:// 
itrc.hp.com for analysis (currently patches only). 
Where to Find the SWA Software 
You can obtain SWA software from the following places: 
• HP-UX 11i v1 (B.11.11), HP-UX 11i v2 (B.11.23), HP-UX 11i v3 (B.11.31): HP-UX Software 
Assistant website at https://www.hp.com/go/swa 
• HP-UX 11i v1 (B.11.11): Applications DVD; June 2007 and later 
• HP-UX 11i v2 (B.11.23): Operating Environment DVD; June 2007 and later 
• HP-UX 11i v3 (B.11.31): Operating Environment DVD; September 2007 and later 
• HP-UX 11i v3 (B.11.31): Applications DVD; March 2008 and later
Installation Requirements 11

Installing SWA from the Web 
For HP-UX 11i releases, you can download SWA from the HP-UX Software Assistant web page 
at https://www.hp.com/go/swa. This web page contains installation instructions for downloading 
the SWA depot and installing it on a system. 
Installing SWA from HP Operating Environment Media 
On the HP-UX 11i v2 June 2007 (B.11.23.0706) OE media, and later, SWA is installed by default. 
For instructions on how to install and update HP software from OE media, see the HP-UX 11i 
Installation and Update Guide on the HP Technical Documentation website at http://docs.hp.com. 
Newer versions might be available at the HP Software Depot. 
Installing SWA from HP Applications Media 
On the HP-UX 11i v1 June 2007 (B.11.11.0706) AR media, and later, you can use the swinstall(1M) 
command to install SWA. For instructions on how to install SWA from the AR media, see the 
HP-UX 11i Installation and Update Guide on the HP Technical Documentation website at http:// 
docs.hp.com. Newer versions might be available at the HP Software Depot. 
Installing SWA from a Local or Remote Depot 
If you choose to create a local or remote depot containing SWA for installation, you must have 
the dependent applications either on the system already or in the depot. See “Installation 
Requirements” (page 11) for a list of dependent applications and where to find them. The 
installation from a local or remote depot is the same as the previous instructions on “Installing 
SWA from the Web” (page 12) with the exception that you should use the swcopy(1M) command 
with the dependent applications to include in the depot, and then use the Software Depot 
instructions with the swinstall(1M) command for the depot contents. 
To install SWA, enter the command: 
# swinstall -s your_depot SwAssistant 
The following bundles should exist on the system: 
• SwAssistant (bundle wrapper) 
• SWA (product) 
• SwaMin (product) 
The dependencies for SWA are 
• The Java and Judy libraries 
• The C++ Runtime Library Patch (PHSS_22898, HP-UX 11i v1 (B.11.11) only) 
Installing SWA to Use Within HP SIM 
To use SWA within HP SIM, you should have SWA version C.02.11 or later and HP SIM version 
5.2 or later Central Management System (CMS). 
SWA will be available within HP Systems Insight Manager (HP SIM) if you install SWA while 
HP SIM is running. 
If SWA is installed before HP SIM is initially configured via mxinitconfig, SWA will 
automatically be included for use within HP SIM. See mxinitconfig(1M) for more information. 
If you install SWA when HP SIM is installed but not running, you must run the 
/opt/swa/lbin/configHPSIM script once HP SIM is running again to configure HP SIM for 
SWA. 
The following error indicates HP SIM is not properly configured to run SWA. Use the information 
outlined above to determine whether to run mxinitconfig or configHPSIM. 
12 Installing HP-UX Software Assistant

NOTE: Cannot configure HP SIM. Add SWA to HP SIM by running mxinitconfig 
(1M) or /opt/swa/lbin/configHPSIM 
NOTE: HP SIM servers might require significant space in /var/opt/swa/HPSIM to support 
client systems' analysis, catalog, inventory, and report files. You should consider the number of 
client systems you intend to support and adjust file system sizes accordingly. 
Uninstalling SWA from an HP-UX system 
To remove SWA, enter the command: 
# swremove -x enforce_dependencies=false SwAssistant 
The following objects are removed from the system: 
• SwAssistant (bundle wrapper) 
• SWA (product) 
• SwaMin (product) 
The dependencies for SWA remain on the system. These include: 
• The Java and Judy libraries 
• The C++ Runtime Library Patch (PHSS_22898, HP-UX 11i v1 (B.11.11) only) 
If you do not use the -x enforce_dependencies=false option with the swremove command, 
you will receive error messages regarding dependencies. 
Uninstalling SWA from an HP-UX system 13

14

3 Quick Start 
Steps to Using SWA 
To get started using Software Assistant right away, follow these steps: 
1. Run the Initial Report with the command swa report. 
2. Review Recommended Actions, especially the manual actions, written to standard output. 
3. Download Patches and Make a Depot with the command swa get. 
4. Read the readBeforeInstall.txt file and take appropriate actions. 
5. Install the Depot. 
6. Generate a Second Report. 
7. Put Appropriate Actions in the Ignore File. 
Run the Initial Report 
Issue the following command: 
# swa report 
SWA first builds an inventory of the software currently installed on the system. Then, the catalog 
is downloaded from HP ITRC. 
======= 02/05/08 15:52:35 MST BEGIN Report on Issues and New Software 
<user=username> <jobid=systemname> 
* Gathering Inventory 
* Getting Catalog of Recommended Actions and Software 
NOTE: 
If the system does not have direct access to the web, you can specify a proxy server with the swa 
report extended option proxy. For more information, see Appendix B (page 39) and 
swa-report(1M). SWA supports HTTP basic authentication only. If you do not have a standard 
proxy, you can also specify an arbitrary command for downloading files. See the extended option 
download_cmd. 
After the catalog is downloaded, the analysis is performed and reports are generated. An HTML 
report is written to the file indicated in the standard output messaging, and an Actions Summary 
Report is written to standard output. (Use the -r option to swa report and swa step report 
to specify the report type written to standard output: action (default), issue, detail, html 
or none.) 
* Using existing local catalog file 
* Performing Analysis 
* Generating Reports 
NOTE: See HTML-formatted report "$HOME/.swa/report/swa_report.html" 
The Actions Summary Report begins with the Assessment Profile. The exact catalog and inventory 
files used in the analysis are identified. Detailed analysis information follows. 
Steps to Using SWA 15

Software Assistant 
Actions Summary Report 
ASSESSMENT PROFILE 
Catalog Information 
Catalog File: $HOME/.swa/cache/swa_catalog.xml 
Catalog Date: dd month year hh:mm:ss 
Inventory Source 
Name: systemname 
OS: HP-UX B.11.xx 
Model: model info 
Inventory File: $HOME/.swa/cache/swa_inventory_n.xml 
Inventory Date: dd month year hh:mm:ss 
Analysis Information 
Analysis File: $HOME/.swa/cache/swa_analysis.xml 
Analysis Date: dd month year hh:mm:ss 
Ignore File(s): $HOME/.swa/ignore 
Issues Ignored: n 
Selected Analyzers 
QPK: latest Quality Pack patch bundle 
SEC: security bulletins 
PCW: patches with critical warnings 
The analysis depends on the Selected Analyzers. Default analyzers are quality pack (QPK), 
security (SEC), and critical patch warnings (PCW) because these watch HP's default patch and 
bulletin recommended actions. You can specify the analyzers used with the -a option on the 
command line, or by using the analyzers extended option. See swa-report(1M) for more 
information. 
The report then goes on to report the recommended actions. 
Review Recommended Actions 
Manual actions require direct administrator response and are not managed by SWA. These 
include: 
• Product (non-patch) updates. 
• Product removal. 
• Manually updated files. 
• Other manual actions, such as direct file system changes. 
Manual actions that result in the installation or removal of software might cause changes to the 
list of recommended patches. After resolving the product changes identified as manual actions, 
it is recommended a new analysis is run to create the most accurate patch recommendations. 
Download Patches and Make a Depot 
Issue the following command: 
# swa get -t target_depot 
You are required to specify the depot. By default, a new depot is created. 
NOTE: The swa get command requires superuser privileges. See swa-get(1M) for more 
information. 
The swa get command uses the analysis file created by swa report to determine what software 
to download from HP. 
As each patch is downloaded into the swcache, a notice is displayed on standard output. 
16 Quick Start

.
.
. 
* Downloading Software from HP to Local Cache 
NOTE: Estimated total download size: x bytes. 
* Downloading PHCO_n (1 of x) 
.
.
.
Once the patches have been downloaded to the swcache directory, it is processed into the depot. 
SWA automatically uses MD5 cryptographic hash to verify patch integrity before unpacking 
downloaded patches. For more information on the location of the swcache directory, see 
Appendix A (page 37). 
Read the readBeforeInstall.txt file and take appropriate actions 
The readBeforeInstall.txt is located in the target depot directory. 
This file lists special installation instructions and dependencies to take under consideration for 
all the patches downloaded from HP. Review this file before installing the depot. 
Install the Depot 
The recommended method to install HP-UX patches and patch bundles from a depot is with the 
command: 
# swinstall -s depot -x patch_match_target=true -x autoreboot=true 
Note that this command should only be used within a maintenance window as the system might 
require a reboot. Any reboot will be performed automatically when required. 
Generate a Second Report 
It is useful to compare a post-SWA report with the initial report to see the issues that have been 
resolved and those still requiring resolution. Make sure you save the original report before 
running the following command: 
# swa report -x inventory_max_age=0 
The inventory_max_age=0 is a special value that forces an inventory file update. 
Put Appropriate Actions in the Ignore File 
It might make sense for you to ignore the following types of issues: 
• Manual actions — SWA can't detect if security bulletin manual actions (other than installing 
specific versions of patches or software) have been taken, so after applying a manual action, 
add it to the ignore file to track that the action has been taken. 
• Deferred actions — If you've made a decision to defer addressing a particular issue for some 
period of time, after taking into account the risk of not addressing it, you might wish to add 
it to the ignore file until the issue is revisited or fixed. Be careful not to forget about these 
types of issues, since SWA will stop warning about them. 
HP advises you include comments in the ignore file explaining who added an issue, why, and 
when. Auditors are likely to want this information documented and traceable. 
The ignore file, $HOME/.swa/ignore, includes comments with instructions regarding syntax 
and how to add an issue. You must use the Issue ID given in the Detail report to identify issues 
in an ignore file. 
It is possible to use more than one ignore file with the following syntax: 
# swa report -x ignore_file="file1 file2" 
Read the readBeforeInstall.txt file and take appropriate actions 17

18

4 Creating and Interpreting Reports 
Analysis 
All reports are based on the selected analyzers. SWA is capable of performing a variety of analyses. 
To perform an analysis, Software Assistant requires an inventory file and a catalog file. During 
analysis, those two files are compared to see what issues require attention. Issues in ignore files 
are not included in the analysis. For more information, see “Put Appropriate Actions in the 
Ignore File” (page 17). By default, the resulting analysis file is written to $HOME/.swa/cache/ 
swa_analysis.xml. 
To specify the analyses SWA should run, use the -a option of the swa report or the swa step 
analyze command, or use the extended option analyzers. 
Available analyzers follow, with a description of what SWA will look for: 
• PCW – Installed, active patches with critical warnings. These patches might cause or expose 
a critical problem. The newest recommendable patch in the supersession chain will be 
reported. This is a default analyzer. 
• QPK – Quality Pack (QPK) updates. The quality pack bundle includes stable patches for core 
HP-UX and networking drivers. This is a default analyzer. 
• SEC – Security bulletins that might apply. These are announcements from HP regarding 
potential security issues and recommended actions to resolve them. This is a default analyzer. 
• CRIT – Patches to install that fix critical problems. Problems are categorized as critical based 
on the severity of the problem, not how likely the problem might occur. Critical problems 
include system panics or hangs, process failures, data corruption, severe performance 
degradation, and application-specific critical issues. 
• PW – Installed, active patches with warnings. These patches might cause or expose adverse 
behavior. This category includes patches with critical warnings. The newest recommendable 
patch in the supersession chain will be reported. 
• PATCH – Given a specific patch, SWA indicates whether that patch is required for your 
system or not. HP recommends the CHAIN analyzer to report a patches' relevance to your 
system, since it will report the most recent, stable patch in the chain. 
• CHAIN – Given a specific patch, SWA indicates whether that patch is required for your 
system or not. If the patch is required, SWA selects the HP recommended patch at or above 
the specified patch. 
If no analyzers are specified, the PCW, QPK, and SEC analyses are performed. 
For detailed information on QPK patch bundles and types of patches, see the Patch Management 
User Guide for HP-UX 11.x Systems, available at http://www.docs.hp.com. 
Report Overview 
After the analysis is complete, SWA reports its findings. The types of reports follow. 
Analysis 19

Table 4-1 Report Overview 
What it reports How to generate it Where to find it Use this report for... 
Report 
type 
• Interpreting analyses as 
recommended by HP 
• All the information SWA has 
on the analysis 
• Links to full descriptions of 
security bulletins, patches, 
and bundles 
• Links to download patches 
• $HOME/.swa/report/ 
swa_report.html by 
default 
• The file specified by the 
html_report extended 
option 
• Standard output when 
selected with -r 
• Always 
generated and 
written to a file 
• -r html for 
display of HTML 
source to 
standard output 
Comprehensive 
– includes the 
Action, Issue, 
and Detail 
reports. 
HTML 
• A comprehensive to-do list 
• Patch bundles and patches 
recommended for 
installation 
• A list of recommended 
manual actions 
• Standard output by default 
• Included in HTML report 
• Generated by 
default to 
standard output 
Summary of 
recommended 
actions 
Action 
• A list of exposed problems, 
including those with no 
SWA recommended solution 
• Included in HTML report 
• Standard output when 
selected with -r 
• -r issue for 
display to 
standard output 
Summary of 
issues 
Issue 
• A cross-reference of actions 
to resolved issues 
• Issue IDs 
• Dependencies 
• Issues detected with no 
SWA recommendation for 
resolution 
• Web addresses for relevant 
patch and security issue 
information 
• Web addresses to download 
patches 
• Included in HTML report 
• Standard output when 
selected with -r 
• -r detail for 
display to 
standard output 
Recommended 
actions with 
issue justification 
Detail 
Issues in ignore files are excluded from all reports. For more information, see “Put Appropriate 
Actions in the Ignore File” (page 17). 
The contents of all reports are dependent on the analyzers selected. 
Report excerpts in this chapter are HTML; the same information is reported in text-based reports. 
The HTML Report 
HP recommends using the HTML report, since it provides all the SWA analysis information 
available – it is the compilation of the other reports. This report is always generated and is saved 
to $HOME/.swa/report/swa_report.html by default. You can specify your own filename 
with the html_report extended option. If you want the HTML report displayed to standard 
output, use the -r html option to the swa report command or the swa step report 
command. 
The HTML report begins with the Assessment Profile and then includes the Action report, the 
Issue report, and the Detail report. See the following sections for more information on each type 
of report: “The Action Report” (page 22), “The Issue Report” (page 23), “The Detail Report” 
(page 26). 
The HTML report also includes hyperlinks to detailed information on the HP ITRC for every 
patch and security bulletin issue found by SWA, plus direct links to download patches. 
The HTML report begins with a table of contents, which includes links to all sections of the report. 
20 Creating and Interpreting Reports

The Assessment Profile 
This section is included in every report. It identifies the catalog used, the inventory used, and 
the analysis information for the unique report. The Assessment Profile is required to interpret 
any report by giving it context. Using the information in the assessment profile, an analysis can 
be recreated. 
1
2
3
4 
1 Inventory Source – This information describes the system being analyzed and the inventory 
information for that system. The Model: information will only be available if the system is 
local or accessed with a secure shell connection (ssh). The Inventory Date: is the date 
the inventory was run on the system with the swa report or swa step inventory 
command. 
2 Catalog Information – This is the file downloaded from ITRC with the swa report or swa 
step catalog command. The Catalog Date: is a data timestamp indicating when the 
catalog was created on the ITRC. 
3 Analysis Information – This is the file created when the swa report or swa step 
analysis command was run. The Analysis Date: is the date the analysis was run. The 
ignore files used in the analysis are indicated. The Issues Ignored: indicate the number 
of issues ignored during this analysis. 
4 Selected Analyzers – These are the analyzers the reports are based on. Although not listed, 
the automatically invoked analyzer (AUTO) is always run and cannot be deselected. The 
AUTO analyzer detects problems such as missing dependent patches and unrecognized 
patches. If your analysis has detected AUTO issues, you will see an Automatically 
invoked analyzers section in the Issue report. Options to analyzers are not included in 
the Assessment Profile, such as the patches specified with the CHAIN and PATCH analyzers. 
The Assessment Profile 21

The Action Report 
The Action report is a to-do list of patches and patch bundles to install, plus a list of manual 
actions. This report does not include explanations as to why the actions are required; for this 
information, see the Detail report. 
The patch and patch bundle actions can be taken care of by installing the depot created by the 
SWA commands swa get and swa step depot. The depot includes all the patches and patch 
bundles listed in the Action report, which includes all dependent patches. This allows you to 
install the depot on any system, but the depot might include patches already installed on your 
target system. 
The manual actions require individual, specialized actions as described in the Manual Actions 
section. 
If you have issues that SWA does not have recommendations for (unresolved issues), the Action 
report will warn that the recommended actions are an incomplete solution. Information on 
unresolved issues can be found in the Detail report. 
The Action report is included in the HTML report. It is created and displayed to standard output 
by default. It begins with the Assessment Profile and then is followed by the Patch Bundles, 
Patches, and Manual Actions sections. 
Patch Bundles 
Bundles listed here are Quality Pack (QPK) bundles. Quality pack bundles includes stable patches 
for core HP-UX, graphics, and networking drivers. Depending on your release, there are two 
possible QPK bundles, QPKAPPS and QPKBASE. Both bundles are included in the QPK depot. 
If the QPK bundles include patches with warnings, the fix patches will be listed in the Patches 
section of this report and the patch bundles will be identified as an issue in the Issue report. 
The listed bundles are not found on the target system, but no information is provided as to what 
bundle contents are missing. The bundle equivalency of the QPK contents can be detected with 
the CHAIN and PATCH analyzers. 
Patches
The patches listed in this section are required in addition to those in a QPK bundle – they are 
available individually on the ITRC website. Software Assistant will recommend the newest patch 
in the chain to resolve the issue. 
If unexpected patches are seen in the list, they are usually included as dependencies or to address 
warnings. The detail report can provide the rationale for all patches. SWA creates all depots with 
all requisites included. This allows installation on any system but might include patches that 
can't be installed on a specific system. 
If you have a QPK bundle listed under Patch Bundles, this will not be a complete list of patches 
to install since QPK patches are not included in this list. 
Manual Actions 
These actions require direct administrator response and include product (non-patch) updates, 
product removal, manually updating files, and other manual actions, such as direct file system 
changes. 
Security bulletins are listed only if manual actions are required. If a patch satisfies a security 
bulletin, it will be included in the QPK patch bundle or listed explicitly in the Patches section. 
The date listed for security bulletins is the date the bulletin was posted or last updated. 
A detection confidence rating is included with the action. Note that SWA can only detect software 
that has been installed with swinstall. The ratings are: 
22 Creating and Interpreting Reports

• D – Definite. The recommendation is based on specific revisions of installed software. SWA 
has determined that this fix has not been done. 
• R – Relevant. The recommendation is based on installed software. For some recommendations 
rated R, SWA cannot determine if the action has already been taken. If SWA cannot detect 
if an action has been taken, that issue will always be listed until it is entered in an ignore 
file. 
• U – Unknown. The recommendation is based only on operating system version. SWA cannot 
detect if recommendations rated U have been taken. Issues rated U will always be listed 
until they are entered in an ignore file. 
Manual actions that result in the installation or removal of software might cause changes to the 
list of recommended patches. After resolving the product changes identified as manual actions, 
it is recommended a new analysis is run to create the most accurate patch recommendations. 
The following example illustrates how one issue, a required Security Bulletin 02284r4, can generate 
multiple manual actions. See the Detail report for a detailed cross-reference of actions to issues. 
1 
1 Five manual actions are associated with the one Security Bulletin 02284r4. 
The Issue Report 
The Issue report is included in the HTML report. There is a section for every analyzer selected, 
plus an Automatically invoked analyzers section if there are AUTO issues detected. 
The Issue report includes issues SWA does not have recommendations for (unresolved issues), 
but does not indicate they are unresolved. Information on unresolved issues can be found in the 
Detail report. 
Select the Issue report for display to standard output with the -r issue option to the swa 
report command or the swa step report command. 
Latest Quality Pack Bundle (QPK) 
The Quality Pack analyzer detects the revision of the current QPK bundle and selects available 
updates. 
If patches in a recommended QPK have warnings, they will be listed explicitly in the QPK section 
of the Issue report, as shown in the following example. When available, the patches that fix these 
warnings will be included in the list of actions recommended by SWA. 
The Issue Report 23

1 
1 The Quality Pack bundle QPKBASE includes patches with warnings. 
Security Bulletins (SEC) 
SWA lists all detected security bulletins that might apply to your system. 
It is possible for more security bulletins to be listed here than in the Action report, since this list 
includes bulletins satisfied by patch and manual actions; the Action report only lists the security 
bulletins satisfied by manual actions. 
The following example illustrates that although an issue might generate multiple actions, such 
as the Security Bulletin 02284r4, it is listed once in the Issue report. Below, the various identifiers 
appearing in the report are explained. 
1 
1 The Security Bulletin 02284r4 generates five actions in the Action report (see the associated 
Action report), and a single issue in the Issue report. 
A security bulletin usually has a number of identifiers associated with it. 
The following example explains the identifiers associated with security bulletin 02284r4. 
1 2 3 4 
1 The short form of the external HP security identifier. It is comprised of the numeric portion 
of the HPSBUX identifier, 02284, plus the revision number, r4. 
2 The long form of the external HP security identifier, also called the HPSBUX identifier. 
3 The software security response team number, which is used internally to HP. 
4 The revision number. A security bulletin revision can be issued for minor or significant 
changes. 
24 Creating and Interpreting Reports

NOTE: The Common Vulnerabilities and Exposures (CVE) identifier, if there is one associated 
with the bulletin, is available with the detailed information on the ITRC. Follow the hyperlink 
in the HTML report to access this information. 
Patches that Fix Critical Issues (CRIT) 
Problems are categorized as critical based on the severity of the problem, not how likely the 
problem might occur. Critical problems include system panics or hangs, process failures, data 
corruption, severe performance degradation, and application-specific critical issues. 
If there is a newer patch in the supersession chain, that patch might be listed in the Action report, 
not the patch listed as missing in this section. 
Patches with Warnings (PW) 
This section reports patches with warnings identified by the PW orPCW analyzer. If a newer 
recommendable patch exists, it will be selected. Note that in some instances the best course of 
action is to retain a patch with a warning. 
1
2 
1 This is the posting date of the most recent patch warning. 
2 Patches with critical warnings are identified here. 
Specific Patch (PATCH) and Patch or Recommended Successor (CHAIN) 
Given a user-specified list, the PATCH and CHAIN analyzers identify user-specified patches that 
can be installed. Patches are omitted from the list because the base product is not present or 
because the patch or its replacement is already installed. In an Issue report, these two analyzers 
are equivalent; they differ in the recommendations made within the SWA Action report. 
Automatically Invoked Analyzers 
You might have a section for Automatically invoked analyzers (AUTO) in your report, which is 
an analyzer SWA always runs and cannot be deselected. Problems in this category include missing 
dependent patches and unrecognized patches. An unidentified patch can be a sign of a special 
release or site-specific patch. An out-of-date catalog file might also cause unidentified patches. 
1 
The Issue Report 25

1 The Patch PHKL_31500 is a special patch for HP-UX 11i v2, in that new dependencies may 
be introduced after its release. 
The Detail Report 
This report is included in the HTML report. The Detail report is a comprehensive cross-reference 
between actions and issues, which comes in handy since some issues require multiple actions 
and some actions satisfy multiple issues. 
The Detail report includes information not available in the Action or Issue reports. 
1
2
3 
1 This is the only report that includes the full SWA Issue ID, which is required in an ignore 
file. 
2 The URL is a link to the security bulletin. 
3 The dependencies listed are supporting patches or patch bundles that must be installed. The 
patches will be listed as action items in the Action report unless they are included in a QPK 
targeted for installation. Note that it is not uncommon for HP-UX to have patches that are 
mutually dependent. For more information on patch dependencies, see the Patch Management 
User Guide, available at http://www.docs.hp.com. 
The following example illustrates how one issue, a required Security Bulletin 02284r4, can generate 
multiple manual actions. The Detail report expands on each of the actions. 
26 Creating and Interpreting Reports

Sometimes one action will resolve more than one issue. In the following example, installing 
PHCO_36506 will resolve both a critical issue and a patch warning. Both patches, PHCO_36506 
and PHCO_31562, will appear in the Issue report. Only PHCO_36506 will appear in the Action 
report. The Detail report below shows the cross-reference of the action to both issues. 
The Detail report might include the section, “Unresolved Issues.” These are issues that SWA 
detected but has no action to recommend. An unrecognized patch installed on the target system 
is an example of an unresolved issue. 
Select this report for display to standard output with the -r detail option to the swa report 
command or the swa step report command. 
The Detail Report 27

28

5 Networking Options 
Using SWA in Secure Network Environments 
SWA is able to adapt to a secure network environment where one or more of the default protocols 
SWA uses are blocked. When customizing SWA for your environment, you must keep security 
concerns in mind. 
When SWA runs an analysis of a system, it relies on the integrity of the catalog file and the 
inventory file. The integrity of the catalog file and the analysis file controls the security properties 
of SWA. Depot creation relies on the integrity of the patches within the swcache directory. 
The validity of the catalog file is of primary importance, since it contains all the data for identifying 
issues, recommending solutions, and downloading and verifying content. 
Because the integrity of SWA files must be maintained, use either a secure shell (ssh) connection 
or media when accessing a remote system for the inventory, catalog, analysis, and swcache files. 
Using Proxy Servers With Software Assistant 
The basic way to specify a proxy host and port is with the extended option proxy. You can 
optionally specify a basic HTTP authentication user name and password pair. You can use the 
proxy extended option with the commands swa get, swa report, swa step catalog, 
and swa step download. By default, no proxy information is specified. For more information, 
see the SWA manpages. 
There are protocol-specific extended options (ftp_proxy, https_proxy, and http_proxy) 
and environment variables (ftp_proxy, https_proxy, and http_proxy). You cannot use 
the general proxy extended option, such as 
proxy=http://web-proxy.mycompany.com:8088, as an environment variable. 
For information on the various ways to set SWA extended options, see “Extended Options” 
(page 9). 
For information on SWA errors related to proxies, see Appendix B (page 39). 
Using the download_cmd Extended Option 
The download_cmd extended option can be used to override the default SWA download 
commands, and therefore the protocols SWA uses to download the catalog and patch files. The 
command specified with this option must: 
1. Take one argument supplied by SWA: the URL of the file content to download. 
2. Output the retrieved file content to standard output. 
Programs like wget, curl, and Perl's GET can be used to pass the contents of a URL to standard 
output. These commands may provide support for different types of proxies or can be used with 
ssh to work with a gateway server. The GET command provides basic functionality. The wget 
and curl commands provide extended functionality and are provided with HP-UX 11i Internet 
Express (see www.hp.com/go/internetexpress). All three of these commands are available for 
operating systems other than HP-UX, such as Linux and Windows. 
Example: Use SWA With a Gateway 
If you would like to use SWA without direct internet access, you can use the download_cmd 
extended option and a gateway server to access the catalog and patch files. This gateway can be 
a non-HP-UX system that has any of the aforementioned commands functional on it. 
The /opt/perl/bin/GET command satisfies the download_cmd extended option requirements 
listed above. The following procedure is to be run on the system to be analyzed. 
Using SWA in Secure Network Environments 29

1. Create an inventory of the local system, then download the catalog using the gateway system, 
run an analysis, and create a report: 
# swa report -x download_cmd='ssh user@gateway_sys /opt/perl/bin/GET' 
2. Review the recommended actions and issues. 
3. Download patches using the gateway system and make a depot on the local system: 
# swa get -t target_depot -x download_cmd='ssh user@gateway_sys \ 
/opt/perl/bin/GET' 
4. Continue with the patch installation procedure as outlined in Chapter 3 (page 15). 
For more information on download_cmd, see swa-get(1M), swa-report(1M), and swa-step(1M). 
Running SWA on a System Without Access to the Internet 
If you must run SWA on a system that does not have Internet access, you can obtain the catalog 
and patches using a system connected to the Internet, and then transfer the downloaded files to 
the protected system using media or ssh. Required patches will have to be manually requested 
and downloaded from the ITRC at http://itrc.hp.com. You can run SWA without any network 
access whatsoever by using media to transfer the files from the system connected to the Internet. 
You can also print the system's Action report and carry it to a system with Internet access when 
downloading patches. 
Example: Using SWA Without Internet Access 
1. Using a system with Internet access (this system may be a PC), download the catalog from 
the ITRC from https://ftp.itrc.hp.com/wpsl/bin/doc.pl/screen=wpslDownloadPatch/ 
swa_catalog.xml.gz?PatchName=/export/patches/swa_catalog.xml.gz. 
Alternatively, you can use the FTP location ftp://ftp.itrc.hp.com/wpsl/bin/doc.pl/ 
screen=wpslDownloadPatch/swa_catalog.xml.gz?PatchName=/export/patches/ 
swa_catalog.xml.gz. 
2. Transfer the catalog to the system to be analyzed using ssh or media. The catalog's default 
location is $HOME/.swa/cache. Uncompress the file with 
# gunzip swa_catalog.xml.gz 
3. Create an inventory, run an analysis, and generate a report on the system with 
# swa report -x catalog_max_age=-1 
The catalog_max_age=-1 extended option setting instructs SWA to skip the catalog 
download step. Note that you can use the extended option catalog to specify the catalog 
location if it is other than the default $HOME/.swa/cache/swa_catalog.xml. 
4. Evaluate the reports and determine the patches to be downloaded. 
5. Contact the ITRC from a system connected to the Internet and select the patches you wish 
to install. Once you have a selected patch list, download them in your desired format. HP 
recommends using the depot creation script included with the patches since it will make 
installation easier. 
Note that when using media or other means to relocate the swcache files to a new system 
(the swa get and swa step download commands are not used), the MD5 cryptographic 
hash validation of the patches is not repeated. 
6. Continue with the patch installation procedure as outlined in Chapter 3 (page 15). 
For more information, see the Security Considerations section of swa(1M). 
30 Networking Options

6 Running SWA From Within HP SIM 
Software Assistant runs on the HP SIM 5.2 or later Central Management Server (CMS). See 
“Installing SWA to Use Within HP SIM” (page 12) for information on installing SWA for HP 
SIM. SWA versions C.02.11 and later are recommended for use with HP SIM. 
To launch SWA from the HP SIM toolbar, select Tools.Software Assistant.Generate Report.... 
NOTE: HP SIM servers might require significant space in /var/opt/swa/HPSIM to support 
client systems' analysis, catalog, inventory, and report files. You should consider the number of 
client systems you intend to support and adjust file system sizes accordingly. 
Selecting Target Systems 
From HP SIM you can easily run SWA against multiple HP-UX systems simultaneously by 
selecting an entire collection to analyze, selecting individual systems, or a combination of the 
two. After your initial selection from the Select Target Systems page, you will be able to add or 
remove systems on the Verify Target Systems page as described in “Verifying Selected Systems” 
(page 32). 
To select all the systems in a collection for analysis: 
1. Make sure the Collection radio button is selected in the Add targets by selecting from: box. 
2. Select a collection from the pull-down menu. 
3. Select the check-box next to the Select “collection” itself text. 
4. Select Apply. (Selecting View Contents will change the mode to selecting systems 
individually, described below.) 
To select individual systems from a collection: 
1. Select the Collection radio button in the Add targets by selecting from: box. 
2. Select the desired collection from the pull-down menu. 
3. Deselect the Select “collection” itself check box. 
Selecting Target Systems 31

4. Click View Contents. 
5. Select the check boxes of desired systems. Selecting the check box in the top title row will 
toggle between selecting and deselecting all listed systems. 
6. Click Apply. 
To search for individual systems to select: 
1. Select the Search radio button in the Add targets by selecting from: box. 
2. Type the search text in the text box. The top six search matches appear in a popup box for 
quick selection. 
3. Click Search. 
4. Select the check boxes of desired systems. Selecting the check box in the top title row will 
toggle between selecting and deselecting all listed systems. 
5. Select Apply. 
TIP: Clicking in a column header area will sort the systems alphabetically by that column. Click 
again to reverse-order the list. 
Verifying Selected Systems 
After you select Apply from one of the selection methods listed above, the Verify Target Systems 
page is displayed. Use the buttons at the bottom of the system list to manage your selections. 
• Select Add Targets... and add systems to the target systems list as described in “Selecting 
Target Systems” (page 31). Select Apply. You can click Cancel to close the Add Targets... 
interface and retain the original list of selected systems. 
• Select Remove Targets... and select the check box next to systems you wish to remove from 
analysis. Select Apply. Selecting the check box in the top title row will select all systems for 
removal. You can click Cancel to close the Remove Targets... interface and retain the original 
list of selected systems. 
Once you have finalized the systems to be analyzed, select Run Now. 
32 Running SWA From Within HP SIM

NOTE: The Add Event Filter... selection provided by HP SIM is not a valid selection for HP-UX 
Software Assistant. 
Running Your Analysis 
Once you have selected (“Selecting Target Systems” (page 31)) and verified (“Verifying Selected 
Systems” (page 32)) the systems to be analyzed, selecting Run Now from the Verify Target Systems 
page will launch the analysis: the SWA Options page is displayed. 
Setting Report Options for SWA in HP SIM 
Use the SWA Options page to select the analyzers, networking parameters, and ignore files for 
this analysis. By default, the QPK, SEC, and PCW analyzers are selected; there is no custom 
networking information; and the user ignore file $HOME/.swa/ignore is not selected and no 
other ignore files are specified. If there are SWA Options values defined in /etc/opt/swa/ 
swa.conf, they will be reflected on this page. 
When SWA runs under HP SIM, it uses the system-wide SWA configuration file /etc/opt/ 
swa/swa.conf, where you can specify extended options for your SWA session. For more 
information, see “Extended Options” (page 9). 
Analyzers –Select the checkbox for all analyzers you want used in this report. If no analyzers 
are selected, SWA will run with the default analyzers: QPK, SEC, and PCW. 
• Quality Pack (QPK) – The Quality Pack analyzer detects the revision of the current QPK 
bundle and selects available updates. 
• Security Bulletins (SEC) – The Security Bulletins analyzer will list all detected security 
bulletins that might apply to your system. These are announcements from HP regarding 
potential security issues and recommended actions to resolve them. 
• Patches that Fix Critical Issues (CRIT) – This analyzer detects patches that fix critical problems. 
Problems are categorized as critical based on the severity of the problem, not how likely the 
Running Your Analysis 33

problem might occur. Critical problems include system panics or hangs, process failures, 
data corruption, severe performance degradation, and application-specific critical issues. 
• Patches with Critical Warnings (PCW) – This analyzer detects installed, active patches with 
critical warnings. These patches might cause or expose a critical problem. The newest 
recommendable patch in the supersession chain will be reported. 
• Patches with Warnings (PW) – The PW analyzer detects installed, active patches with 
warnings. These patches might cause or expose adverse behavior. This category includes 
patches with critical warnings (PCW) and those with noncritical warnings (PNW). The 
newest recommendable patch in the supersession chain will be reported. 
Networking – 
• Disable catalog update – This option corresponds to the catalog_max_age extended option 
value of –1. By selecting this box, you are instructing SWA to skip the catalog download 
step. If this option is not checked, the behavior is for SWA to download a new catalog if the 
current catalog was created on the ITRC more than 24 hours ago. The creation date is based 
on the timestamp recorded inside the file. 
• Specify proxy – With this, you may specify a proxy host and port (with optional HTTP basic 
authentication username and password) for accessing content using the relevant protocol. 
The following format is used: 
http://[user:password@]proxy-server[:port] 
For example, 
http://web-proxy.mycompany.com:8088 
If a username and password are specified as authentication credentials to your proxy server, 
HTTP basic authentication is used, which is a clear-text protocol (your password might be 
visible to others on your network). If you do not have a standard proxy, you can also specify 
an arbitrary command for downloading files – use the download_cmd extended option, 
which can be set in a configuration file (swa.conf on the Central Management Server 
(CMS)). The HTTPS protocol is used for catalog download and the HTTP protocol is used 
to download the CRL. This proxy setting controls the default for all proxies. 
Ignore files – All ignore files indicated here correspond to the ignore_file extended option. 
• Enable user ignore file – Checking this option will cause SWA to use the $HOME/.swa/ 
ignore file on the CMS when running its report. If you select this option and no user ignore 
file exists, SWA will create a template ignore file for you. 
• Other ignore files – It is possible to use more than one ignore file when running a report. 
Enter as many ignore files as you like in the text box, delimited by any white space. If you 
enter a file that doesn't exist, SWA will display an error message. 
• It might make sense for you to ignore the following types of issues: 
— Manual actions – SWA can't detect if security bulletin manual actions (other than 
installing specific versions of patches or software) have been taken, so after applying a 
manual action, add it to an ignore file to track that the action has been taken. 
— Deferred actions – If you've made a decision to defer addressing a particular issue for 
some period of time, after taking into account the risk of not addressing it, you might 
wish to add it to an ignore file until the issue is revisited or fixed. Be careful not to forget 
about these types of issues, since SWA will stop warning about them. 
HP advises you to include comments in ignore files explaining who added an issue, why, and 
when. Auditors are likely to want this information documented and traceable. The ignore file 
template includes comments with instructions regarding syntax and how to add an issue. You 
must use the Issue ID given in the Detail report to identify issues in an ignore file. 
Running SWA 
When you have selected the options for this analysis, click Next> from the SWA Options page to 
start SWA. 
34 Running SWA From Within HP SIM

SWA will proceed through the steps: getting catalog, getting inventory, processing 
targets, and done. As each target is processed, its status is displayed in the Status column. 
Also displayed is the Job ID, which allows you to identify the job files for this particular SWA 
session. Job files include the log file, an overview index.html file, and the comprehensive 
HTML reports. They are stored under the /var/opt/swa/HPSIM/root/Job ID directory 
when you run as root user. For example, the HP SIM SWA job 115921_swa10.fc.hp.com 
will generate a directory named /var/opt/swa/HPSIM/root/ 
job_115921_swa10.fc.hp.com. You can view the log file for the current job by clicking View 
Log on the Generate Report page. 
The Multisystem Summary Report 
The SWA multisystem summary report includes the following information: 
• Status – SWA will proceed through the steps: getting catalog, getting inventory, 
processing targets, and done. As each target is processed, its status is displayed in 
the Status column. 
• Actions – The total number of actions listed in the Action report. 
• Issues – The total number of exposed problems, including those with no SWA recommended 
solution. 
• Analyzers – The number of issues according to each analyzer run. 
• AUTO – The number of issues identified by SWA that are not associated with the selectable 
analyzers. 
• Ignored – The number of issues that were identified but ignored due to the contents of an 
ignore file. 
The Multisystem Summary Report 35

To view comprehensive analysis report for a specific system, select that system's radio button 
by clicking anywhere in its row. The full results include hyperlinks to detailed information on 
the HP ITRC for every patch and security bulletin issue found by SWA, plus direct links to 
download patches. 
To get SWA online help, select Help.For This Page from the HP SIM toolbar, or select the 
question mark icon. 
36 Running SWA From Within HP SIM

A Useful Files and Directories 
Many of the following files have characteristics that may be modified by extended options, 
including the location and name. For more information, see swa-report(1M), swa-get(1M), 
swa-step(1M), and swa-clean(1M). 
Table A-1 SWA Useful Files and Directories 
Location Purpose 
The per-user SWA configuration file. This file takes 
precedence over the system-wide SWA configuration file. 
$HOME/.swa.conf 
An HP-supplied catalog file from the ITRC website that 
contains known security issues and other defects along 
with their solutions. This file is downloaded with the 
command swa report or swa step catalog. 
$HOME/.swa/cache/swa_catalog.xml 
The analysis of the inventory file and the catalog file 
created with swa report or swa step analyze. 
$HOME/.swa/cache/swa_analysis.xml 
The inventory of installed software created by swa 
inventory or swa step inventory. 
$HOME/.swa/cache/swa_inventory_n.xml 
Use this file to specify issues for analyzers to ignore. It is 
possible to use more than one ignore file by using the 
extended option ignore_file. 
$HOME/.swa/ignore 
The comprehensive report written by swa report and 
swa step report. 
$HOME/.swa/report/swa_report.html 
Default alternative log file if you don't have permissions 
to write to /var/opt/swa/swa.log. 
$HOME/.swa/swa.log 
/etc/opt/swa/swa.conf The system-wide SWA configuration file. 
An example configuration file outlining the usage of each 
extended option. 
/etc/opt/swa/swa.conf.template 
Script to configure HP SIM 5.2 and later for SWA. Only 
required if SWA is installed when HP SIM is installed but 
not running. HP SIM must be running when 
configHPSIM is run. 
/opt/swa/lbin/configHPSIM 
/opt/swa/share/man Manpages. 
The default directory for downloading software before it 
is packaged in a depot. This directory can be set with the 
extended option swcache. Note that this directory can 
consume a significant amount of disk space. 
/var/opt/swa/cache 
Directory that holds all clients' files generated from SWA 
within HP SIM. Files are kept in user and job-specific 
subdirectories. This directory might require significant 
space to support clients' analysis, catalog, inventory, and 
report files. 
/var/opt/swa/HPSIM 
User-specific directory used by SWA when running under 
HP SIM. 
/var/opt/swa/HPSIM/user 
/var/opt/swa/swa.log Default log file. 
Lists all files downloaded from HP to the swcache. It is 
located in the swcache directory. 
download.contents 
Lists special installation instructions and dependencies 
for the patches in the depot. It is located in the depot 
directory. 
readBeforeInstall.txt 
37

38

B Troubleshooting SWA 
Useful files for troubleshooting are the swa.log file and the swa.conf file. Make sure these 
files are available if you are placing a support call to HP regarding HP-UX SWA. 
The swa.log file. 
The SWA log file details each SWA session. Its default location for root users is /var/opt/swa/ 
swa.log. If you do not have permissions to write to the default file, the log file is written to 
$HOME/.swa/swa.log. 
Each action in the log file can be verified by looking in the swcache, the usercache, or the reports 
generated by SWA. 
The swa.conf file. 
The SWA configuration file is useful for showing the extended options settings used in your 
SWA session. The system-wide configuration file is located in /etc/opt/swa. You may also 
find .swa.conf files for local users in their $HOME directories. Extended options given on the 
command line override settings in SWA configuration files. For more information, see the 
Extended Options area of the manpages swa-clean(1M), swa-get(1M), swa-report(1M), and 
swa-step(1M). 
Common Errors 
CRL checking error when getting catalog 
Because of some changes in catalog acquisition, you might see an error like this: 
* Getting Catalog of Recommended Actions and Software 
Certificate issued to VeriSign Class 3 Secure Server CA was not signed 
by the same certificate as the certificate revocation list (CRL) 
"http://crl.verisign.com/RSASecureServer.crl", specified by the 
"crl_url" extended option. It may be necessary to disable the CRL 
checking with the "crl_check" option. 
This problem has been fixed in version C.02.11. HP recommends upgrading to SWA version 
C.02.11 to avoid this error. Download SWA from the HP-UX Software Assistant web page at 
https://www.hp.com/go/swa. You can also avoid this error by setting the crl_check option to 
false. 
Failed to read swa_catalog.xml 
Occasionally the catalog file is unavailable from http://itrc.hp.com. If this is the case, you might 
see an error like this: 
* Gathering Inventory 
* Using existing inventory for host "gold" 
* Getting Catalog of Recommended Actions and Software 
ERROR: Failed to read: https://ftp.itrc.hp.com/wpsl/bin/doc.pl 
/screen=wpslDownloadPatch/swa_catalog.xml.gz?PatchName=/export 
/patches/swa_catalog.xml.gz Message: URL cannot be opened. Read timed out 
Gathering Inventory failed with 1 error. 
Proxy errors 
A proxy server is sometimes required. If this is the case, and proxy settings are absent or incorrect, 
you might see an error like this: 
* Loading CRL from http://crl.verisign.com/RSASecureServer.crl 
ERROR: Unexpected error while downloading CRL from 
http://crl.verisign.com/RSASecureServer.crl" specified by extended 
option "crl_url". It may be necessary to specify a proxy. 
The swa.log file. 39

Alternatively, you may choose to disable CRL checking. Error was 
"Connection refused (errno:239)". 
SWA supports only basic HTTP authentication. Authentication using other means, such as NTLM, 
is not supported. You might see authentication errors like the following when attempting to 
authenticate via an ISA server using NTLM: 
WARNING: Can't download from 
<http://crl.verisign.com/RSASecureServer.crl> 
Error status is: 407 Proxy Authentication Required ( The ISA 
Server requires authorization to fulfill the request. Access to the Web 
Proxy filter is denied. ). 
The network may be down, or you may be behind a firewall, or 
you might not have the correct permissions. The value of $http_proxy is 
"<http://proxy-svr.place.hp.com:8088>". If you are behind a firewall 
be sure that this is correct. 
You can specify a proxy server with the swa report extended option proxy. For more 
information, see swa-report(1M). If you do not have a standard proxy, you can specify an arbitrary 
command for downloading files. See the extended option download_cmd. 
HP SIM Errors Related to SWA 
SWA Installation Error 
NOTE: Cannot configure HP SIM. Add SWA to HP SIM by running mxinitconfig 
(1M) or /opt/swa/lbin/configHPSIM 
This note means HP SIM has not been configured to run SWA. See “Installing SWA to Use Within 
HP SIM” (page 12) for information on installing SWA for use within HP SIM, and the use of the 
mxinitconfig and configHPSIM commands. 
Performance Issues 
HP SIM 5.2 logs SWA inventory data within SIM memory. SIM can encounter performance issues 
and ultimately hang when the amount of logged data exceeds the amount of memory configured 
for the Java Virtual Machine. To work around this issue, select Tasks & Logs.View Task 
Results... from the HP SIM toolbar and delete all SWA Inventory tasks. 
If SIM appears to hang when you select Tasks & Logs.View Task Results..., it is possible to 
allocate additional memory to Java using the following procedure: 
1. Stop the SIM server. 
# /sbin/init.d/hpsim stop 
2. Edit /etc/opt/mx/config/globalsettings.props to include the following: 
JVMMAXHEAP=1000 
JVMMINHEAP=48 
JVMNEWSPACE=32 
3. Restart the SIM server. 
# /sbin/init.d/hpsim start 
Once SIM has been restarted, the Task Results page should be accessible. 
If the value of JVMMAXHEAP is not large enough, /var/opt/mx/logs/mxdomainmgr.0.log 
will contain a message similar to 
15:41:33,147 ERROR [STDERR] java.lang.OutOfMemoryError: Java heap space 
If this is seen, further increase the value of JVMMAXHEAP and restart the server. 
40 Troubleshooting SWA

C SWA Manpages 
41

swa(1M) 
NAME 
swa -- HP-UX Software Assistant 
SYNOPSIS 
swa [[-x] -?] 
swa report [-a analyzer] [-r stdout_report_type] [-s inventory_source] 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
swa get [-p] -t target_depot 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
swa step {inventory|catalog|analyze |report|download |depot} [step_options] 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
swa clean {swcache|usercache |all} [-p] 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
DESCRIPTION 
HP-UX Software Assistant (SWA) can analyze a system (and some types of depots) for patch 
warnings, critical defects, security bulletins, missing Quality Pack patch bundle, and user-specified 
patches and patch chains. SWA uses an HP-supplied catalog file to analyze a system and generate 
reports. From this analysis, swa get can download patches and build a Software Distributor 
(SD-UX) depot which will fix many of the issues in the report. SWA also recommends additional 
actions in the report which you need to take care of manually. SWA combines most of the abilities 
of Security Patch Check (SPC) and all of the abilities of the HP IT Resource Center (ITRC) Patch 
Assessment Tool into a single solution that runs locally on HP-UX systems. SWA can analyze 
software installed on HP-UX systems or present within (some types of) depots. SWA is divided 
into two bundles, SwAssistant (which contains security_patch_check and swa), and 
SwMgmtMin. The SwAssistant bundle must be installed to get full functionality, whereas the 
SwMgmtMin bundle only allows you to inventory systems and remove files created by SWA. 
The contents of the SwAssistant bundle has a dependency on Java™, Perl, and the contents of 
the SwMgmtMin bundle. 
After SWA analyzes which issues are relevant to the software on the system or in the depot, it 
determines the recommended resolution for each issue by providing text and HTML reports. 
The "action" and "issue" reports are available in text format (printed to standard output). The 
"detail" report is available in HTML and text formats. See swa-report(1M) for more details about 
this functionality. 
The reports include recommendations that may or may not involve patching. When the 
recommended solution includes patches, SWA can download them and construct a depot which 
may be used as an installation source. See swa-get(1M) for more details about this functionality. 
Advanced users can also control the individual steps performed by swa report (inventory, 
catalog, analyze, and report) and swa get (download and depot). See swa-step(1M) for 
more details about this functionality. 
As you use SWA to report on systems and download software, objects will be cached on your 
disk for later use. 
To recapture disk space used by objects that SWA cached, see swa-clean(1M). 
Options 
swa recognizes the following option: 
[-x] -? Display usage information. If the -x option is specified, then display usage and list 
all swa extended options for all major modes. 
The swa command has four major modes of operation which are listed in order of typical usage 
and described in individual manpages: 
42 SWA Manpages

report Generate reports on issues and recommended actions. See swa-report(1M). A given 
system or depot is inventoried and analyzed against a catalog of HP software and 
known security issues, and a report is generated. 
get Download software and create a depot. See swa-get(1M). Software identified by swa 
report is downloaded from HP, and added to a depot. Depending upon options, 
either a new depot is created, or an existing depot is added to. 
step Perform an individual step of the swa report or swa get command, both of which 
are actually composed of multiple steps (advanced usage). See swa-step(1M). 
clean Remove software and files cached by SWA. See swa-clean(1M). 
Security Considerations 
The analysis that swa performs relies on the integrity of the inventory to determine the appropriate 
patches to install on the system. It is important that all protocols used to transmit the inventory 
data are integrity protected and that the host used to generate the inventory data is accurately 
represented. For example, use of swlist for gathering an inventory of a remote system uses a 
clear-text, unauthenticated protocol that does not protect the integrity of the data. Using Secure 
Shell to gather an inventory of a remote system uses an integrity protected (and encrypted) 
protocol. Even when using Secure Shell, the analysis still relies on the source of the data (the 
remote host) to accurately represent the software contents installed on that system. 
Software download (swa get or swa step download) relies on the integrity of the analysis 
file to ensure the integrity of patches before unpacking them. The analysis file gets MD5 checksum 
information directly from the catalog. Therefore it is important that all transmissions of the 
catalog and/or analysis file are integrity protected and that file permissions do not allow 
unnecessary modification. 
Depot creation (swa get or swa step depot) relies on the integrity of the patches within the 
swcache directory. Therefore, after unpacking the patches, it is important that all subsequent 
transmissions of the patches are integrity protected and that file permissions do not allow 
unauthorized modification. Deploying software using Software Distributor (using the swinstall 
command) has security properties that are documented in the Software Distributor Administration 
Guide. 
RETURN VALUE 
swa returns the following values: 
0 Success completion 
1 Error 
2 Warning 
EXAMPLES 
To display swa usage information: 
swa -? 
To display usage and list all swa extended options for all major modes: 
swa -x -? 
To inventory the local system, analyze it against an HP-supplied catalog (of known software and 
issues) for newer Quality Pack patch bundles, security issues, and critical patch warnings, and 
then generate a default standard output "action" report: 
swa report 
To create a report for security issues (SEC) for a remote system inventory gathered with Secure 
Shell, and running ssh in batchmode to avoid being prompted for user input: 
swa report -a SEC -s ssh://user@remotesystem \ 
-x ssh_options='-o batchmode=yes' 
To create a detailed report for remotesystem, limited in scope to Quality Pack patch bundle 
analysis (QPK) and patches with critical warnings (PCW). This example uses the swlist 
networking protocol, which is not integrity protected: 
43

swa report -a QPK -a PCW -s remotesystem -r detail 
To do the same task as the previous example, using the extended option equivalents (which can 
be specified on the command line, in a user or system configuration file, or in an extended options 
file): 
swa report -x analyzers='QPK PCW' -x inventory_source=remotesystem \ 
-x stdout_report_type=detail 
To generate a report and place the analysis results in the ~/firstanalysis.xml file (for later 
use by swa get): 
swa report -x analysis_file=~/firstanalysis.xml 
To generate a report, updating the catalog of HP software if it is more than 48 hours old: 
swa report -x catalog_max_age=48 
To generate a report using a specified catalog of HP software without updating that catalog: 
swa report -x catalog=~/mycatalog.xml -x catalog_max_age=-1 
To generate a report always updating the catalog of HP software: 
swa report -x catalog_max_age=0 
To get patches from HP that are recommended in the default analysis file (that is, from the 
previous swa report command) and place the results into the new depot, mydepot: 
swa get -t mydepot 
To add newly recommended patches into the existing depot, mydepot, only downloading patches 
from HP that are neither in mydepot nor previously downloaded: 
swa get -t mydepot -x allow_existing_depot=true 
To preview which patches need to be downloaded from HP and added to an existing depot 
without actually doing the work, and with increased verbosity: 
swa get -p -v -t mydepot -x allow_existing_depot=true 
To remove all cached inventory, catalog, and analysis information in the default location: 
swa clean usercache 
To remove all cached downloaded software in the default location: 
swa clean swcache 
To preview the removal of all cached downloaded software in the default location: 
swa clean swcache -p 
To remove all cached inventory, catalog, analysis, and downloaded software in specified locations: 
swa clean all -x user_dir=~/myusercache -x swcache=/my/cache 
AUTHOR 
swa was developed by HP. 
FILES 
/etc/opt/swa/swa.conf System-wide Software Assistant configuration file. 
/etc/opt/swa/swa.conf.template Template file that documents each -x option. 
$HOME/.swa.conf Per-user Software Assistant configuration file. 
/var/opt/swa/swa.log Default log file location for root users. For users without 
write permissions to the default log location, a swa.log 
file is created under the directory specified by the 
user_dir extended option. 
download.contents Lists all files downloaded from HP stored within the 
swcache, a directory specified by the swcache extended 
option. 
44 SWA Manpages

readBeforeInstall.txt Lists special installation instructions and other 
dependencies for the patches in the depot. Located in the 
root directory of the target depot. 
ignore Lists issue IDs to be ignored (for example, they are 
completed or not applicable). Supports comments and 
regular expressions. See regexp(5). 
SEE ALSO 
swa-clean(1M), swa-get(1M), swa-report(1M), swa-step(1M). 
HP-UX Software Assistant System Administration Guide and HP-UX Software Assistant Release Notes 
at http://docs.hp.com. 
45

swa-clean(1M) 
NAME 
swa-clean: swa -- remove files created by SWA 
SYNOPSIS 
swa clean {swcache|usercache|all} [-p] 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
DESCRIPTION 
The swa clean command allows the user to remove software and files cached by Software 
Assistant (SWA). As SWA is used to report on systems and download software, objects are cached 
on disk for later use. There are two caches. The first cache is for catalog, inventory, and analysis 
information, and the second cache is for software downloaded from HP. The swa clean 
command allows the recapture of this disk space. 
The swa clean commands are as follows: 
swa clean swcache Remove files containing software downloaded by swa get into 
the swcache directory. The swcache directory is specified by the 
swcache extended option. The directory is often one or more 
gigabytes in size. 
swa clean usercache Remove cached files that were created by swa report. These 
files are stored in the cache subdirectory of the directory specified 
by the user_dir extended option. Generally, the cache directory 
includes the inventories of systems and depots, the catalog of 
issues and recommended resolutions, and the results of the 
analysis. This directory is often a dozen or more megabytes in 
size. 
swa clean all Clean the usercache and the swcache directories. 
Options 
swa clean recognizes the following options: 
-p Runs this command in preview mode. 
-q The verbosity level is decreased by one for each instance -q is specified. 
(See also the -x verbosity option.) 
-v The verbosity level is increased by one for each instance -v is specified. 
(See also the -x verbosity option.) 
-? Displays general usage. 
-option -? Describes the legal values for this option. If option is -x, all possible 
extended options are listed for the specified major mode (swa command). 
If no major mode is given, all extended options are listed for all the major 
modes. 
-x option=value Sets the extended option to a value. See the Extended Options definitions 
below. 
-x option=-? Describes the legal values for this option. 
-X option_file Gets the extended options from option_file. For a description and 
examples of syntax for this file, see the 
/etc/opt/swa/swa.conf.template file. 
Extended Options 
The extended options may be specified in different ways: on the command line using the -x 
option, in an option file specified using the -X option, or in one of the configuration files 
/etc/opt/swa/swa.conf (system wide) or $HOME/.swa.conf (user-specific). The 
46 SWA Manpages

/etc/opt/swa/swa.conf.template file provides example syntax for a configuration or -X 
file. 
If the same option is given in multiple locations, the following order is prioritized from highest 
to lowest: 
1. Options specified on the command line 
2. Options specified within an option file (-X option_file) 
3. Proxy environment variables (See the Environment Variable section.) 
4. Options specified within the $HOME/.swa.conf file 
5. Options specified within the /etc/opt/swa/swa.conf file 
6. Default value, specified in the descriptions of each option below in 
option_name=default_value format. 
Note: If the same option or extended option is given multiple times in the same location, the 
last option takes effect. If the option has a single letter equivalent (for example, -v and -x 
verbosity) and both are used on the command line, the single letter option generally takes 
precedence. If the single letter option affects an extended option that takes a list of arguments, 
specifying the single letter option multiple times will append to the list. 
swa clean recognizes the following -x (extended) options which are shown with their default 
values: 
-x logfile=/var/opt/swa/swa.log 
Usage: Basic 
Applicable caches: swcache usercache all 
This is the path to the log file for this command. Each time SWA is run, this file will grow 
larger. This can be changed, for example, to a month-specific location for easier archiving, 
off-host backup, and rotation. 
-x log_verbosity=4 
Usage: Basic 
Applicable caches: swcache usercache all 
Specifies the level of message verbosity in the log file (See also -x verbosity). Legal values 
are: 
0 Only ERROR messages and the starting/ending BANNER messages. 
1 Adds WARNING messages. 
2 Adds NOTE messages. 
3 Adds INFO messages (informational messages preceded by the asterisk '*' character). 
4 Adds verbose INFO messages; this is the default. 
5 Adds very verbose INFO messages. 
-x preview=false 
Usage: Basic 
Applicable caches: swcache usercache all 
Specifies if swa clean should be run in preview mode or not. If preview is set to false, 
do not run in preview mode. If preview is set to true, run this command in preview mode 
only (that is, complete the analysis phase and exit; no changes are committed to disk). Setting 
this option to true has the same effect as specifying -p on the command line. 
-x swcache=/var/opt/swa/cache 
Usage: Basic 
Applicable caches: swcache all 
This is the directory where SWA stores downloaded patches before putting them into a depot. 
The default location is only writable by root, so this directory needs to be changed for a 
non-root user to be able to download software. Opening up permissions on the default 
location is not recommended. 
47

-x user_dir=~/.swa 
Usage: Basic 
Applicable caches: usercache all 
This is the directory where SWA stores catalog, inventory, analysis, ignore, and report files. 
The default location is a subdirectory (.swa) of the user's home directory. This can be changed, 
for example, to allow archival of previous interim artifacts in a date-specific directory or 
off-host. Several other options default to a directory relative to this directory, so changing 
this option allows all of those locations to stay in synch relative to a common root. 
-x verbosity=3 
Usage: Basic 
Applicable caches: swcache usercache all 
Specifies the level of standard error verboseness: 
0 Only ERROR messages and the starting/ending BANNER messages. 
1 Adds WARNING messages. 
2 Adds NOTE messages. 
3 Adds INFO messages (informational messages preceded by the asterisk '*' character); 
this is the default. 
4 Adds verbose INFO messages. 
5 Adds very verbose INFO messages. 
Note: The -v option is equivalent to increasing verbosity by 1 (for example, from 3 to 4), 
and the -q option is equivalent to decreasing verbosity by 1. The -v and -q options can be 
used more than once. 
RETURN VALUE 
swa clean returns one of the following values: 
0 Successful completion 
1 Error 
2 Warning 
EXAMPLES 
To display swa clean usage information: 
swa clean -? 
To display usage and list all swa clean extended options: 
swa clean -x -? 
To run swa clean using the options specified in the file ./myconfig: 
swa clean -X ./myconfig 
To remove all cached inventory, catalog, and analysis information in the default location: 
swa clean usercache 
To remove all cached downloaded software in the default location: 
swa clean swcache 
To preview the removal of all cached downloaded software in the default location: 
swa clean swcache -p 
To remove all cached inventory, catalog, analysis, and downloaded software in specified locations: 
swa clean all -x user_dir=~/myusercache -x swcache=/my/cache 
AUTHOR 
swa was developed by HP. 
48 SWA Manpages

FILES 
/etc/opt/swa/swa.conf System-wide Software Assistant configuration file. 
/etc/opt/swa/swa.conf.template Template file that documents each -x option. 
$HOME/.swa.conf Per-user Software Assistant configuration file. 
/var/opt/swa/swa.log Default log file location for root users. For users without 
write permissions to the default log location, a swa.log 
file is created under the directory specified by the -x 
user_dir extended option. 
SEE ALSO 
swa(1M), swa-get(1M), swa-report(1M), swa-step(1M). 
HP-UX Software Assistant System Administration Guide and HP-UX Software Assistant Release Notes 
at http://docs.hp.com. 
49

swa-get(1M) 
NAME 
swa-get: swa -- download software from HP to resolve issues and make a depot 
SYNOPSIS 
swa get [-p] -t target_depot 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
DESCRIPTION 
The swa get command downloads software from HP to resolve issues identified by swa 
report; see swa-report(1M). By default, a new depot is created. While swa get can update an 
existing depot, it does not analyze that depot for issues and the original contents of that depot 
are the responsibility of the system administrator. Currently, only patches can be downloaded 
from HP (for example, Application Release software is excluded), and some security issues 
require manual action (that is, cannot be resolved by HP-supplied patches). 
The swa get command determines which software to download based on the analysis file from 
a previous swa report command. If a preexisting depot is being updated, swa get determines 
if the needed software is already in the depot or in the swcache directory. swa get will not 
download patches that already exist in either location. 
Security Considerations 
Software download (swa get) relies on the integrity of the analysis file to ensure the integrity 
of patches before unpacking them. The analysis file gets MD5 checksum information directly 
from the catalog. Therefore it is important that all transmissions of the catalog and/or analysis 
file are integrity protected and that file permissions do not allow unnecessary modification. 
Depot creation (swa get) relies on the integrity of the patches within the swcache directory. 
Therefore, after unpacking the patches, it is important that all subsequent transmissions of the 
patches are integrity protected and that file permissions do not allow unauthorized modification. 
Deploying software using Software Distributor (using the swinstall command) has security 
properties that are documented in the Software Distributor Administration Guide. 
Options 
swa get recognizes the following options: 
-p Runs this command in preview mode. 
-t target_depot The depot that software is copied into as specified by target_depot. 
This is where patches from HP are copied into. Normally, the 
target_depot should be empty and a new depot will be created. If 
the depot already exists, you must specify the advanced option -x 
allow_existing_depot=true and understand its implications. (See 
also the -x allow_existing_depot option in Extended Options). 
-q The verbosity level is decreased by one for each instance -q is specified. 
(See also the -x verbosity option.) 
-v The verbosity level is increased by one for each instance -v is specified. 
(See also the -x verbosity option.) 
-? Displays general usage. 
-option -? Describes the legal values for this option. If option is -x, all possible 
extended options are listed for the specified major mode (swa command). 
If no major mode is given, all extended options are listed for all the major 
modes. 
-x option=value Sets the extended option to a value. See the Extended Options definitions 
below. 
-x option=-? Describes the legal values for this option. 
50 SWA Manpages

-X option_file Gets the extended options from option_file. For a description and 
examples of syntax for this file, see the 
/etc/opt/swa/swa.conf.template file. 
Extended Options 
The extended options may be specified in different ways: on the command line using the -x 
option, in an option file specified using the -X option, or in one of the configuration files 
/etc/opt/swa/swa.conf (system wide) or $HOME/.swa.conf (user-specific). The 
/etc/opt/swa/swa.conf.template file provides example syntax for a configuration or -X 
file. 
If the same option is given in multiple locations, the following order is prioritized from highest 
to lowest: 
1. Options specified on the command line 
2. Options specified within an option file (-X option_file) 
3. Proxy environment variables (See the Environment Variable section.) 
4. Options specified within the $HOME/.swa.conf file 
5. Options specified within the /etc/opt/swa/swa.conf file 
6. Default value, specified in the descriptions of each option below in 
option_name=default_value format. 
Note: If the same option or extended option is given multiple times in the same location, the 
last option takes effect. If the option has a single letter equivalent (for example, -v and -x 
verbosity) and both are used on the command line, the single letter option generally takes 
precedence. If the single letter option affects an extended option that takes a list of arguments, 
specifying the single letter option multiple times will append to the list. 
swa get recognizes the following -x (extended) options, which are shown with their default 
values: 
-x allow_existing_depot=false 
Usage: Advanced 
Determines whether the target depot must be empty at the start of the command, or can be 
an existing depot. SWA does not perform any analysis of the depot contents. By specifying 
this option, you accept responsibility for the contents of this depot. 
true Target depot can exist (it is non-empty). 
false Target depot must be empty at the start of the command. 
-x analysis_file=${user_dir}/cache/swa_analysis.xml 
Usage: Basic 
The file containing the raw analysis results, including a list of software that should be 
downloaded from Hewlett-Packard in order to address the issues found by the analysis. Use 
this option to save the results from a specific analysis, and later reuse those results in order 
to download the corresponding software from HP. If you do not use the default location 
when the analysis file is created (swa report creates this file), be sure to specify that location 
when the analysis file is later used (swa get uses this file). 
Possible values include any absolute or relative path name with appropriate permissions. 
The use of ${user_dir} at the beginning of this option value is substituted with the value 
of the user_dir option (which defaults to $HOME/.swa). 
-x crl_check=true 
Usage: Advanced 
When set to true, SWA will require the Certificate Revocation List (CRL) to be updated and 
checked for the trusted Certificate Authority (CA) certificate being used to validate the remote 
server. 
In the unlikely event that the private certificate of the server pointed to by the 
catalog_source option is suspected of being compromised, its certificate will be revoked, 
51

and added to a list of revoked certificates by the CA. See swa-report(1M) for information 
about the catalog_source option. 
The CRL must be signed by the same certificate chain that signed the host certificate being 
checked. Checking the CRL requires regular downloads from the CA, which can lengthen 
the SWA run time. If you do not wish to validate a revocation list, set this to false. 
-x crl_url=http://crl.verisign.com/RSASecureServer.crl 
Usage: Advanced 
The URL of the CRL. See the crl_check option for more information. If you are behind a 
proxy server, then you will need to configure the proxy information for the protocol being 
used to download the CRL. 
-x download_cmd= 
Usage: Intermediate 
Specifies a command that can download a URL from the Internet. The command is enclosed 
in single quotes ('). This option is useful in cases where a system does not have a direct 
connection to the Internet, but can execute a command that can download a URL from the 
Internet (for example, by using a gateway machine). 
Using this option overrides many options which are used by the internal SWA download 
functionality, including proxy and CRL configuration. 
This command should take one option that is supplied by SWA (the URL of a file to 
download), and outputs that file to its standard output. If the actual command in your 
environment behaves differently, it can be wrapped by a shell script in order to provide the 
interface that SWA needs. 
The command needs to support the protocol specified by the catalog_source option 
(default HTTPS) for catalog retrieval and FTP for patch retrieval. See swa-report(1M) for 
information about the catalog_source option. 
Note: Externally used commands are not necessarily supported by HP, but can give 
considerable flexibility for your environment. For example, some external commands can 
authenticate using Windows NT®-based domain passwords to a Microsoft®web proxy, 
which is not directly supported by SWA. 
The following command is an example: 
swa report -x download_cmd='ssh user@system curl' 
This command uses SSH (see ssh(1)) to run the curl command on a gateway system. The 
curl command is an open source tool that ships with several Linux distributions. curl may 
be configured, either using a configuration file on the gateway system or by command-line 
parameters specified as part of the download_cmd option. 
-x ftp_proxy=${proxy} 
Usage: Advanced 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the FTP protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: ftp_proxy=http://web-proxy.mycompany.com:8088 
The FTP protocol is used for patch download. Integrity of the patches is checked using MD5 
secure hashes in the catalog, for which the HTTPS protocol is recommended. See the 
https_proxy option and the catalog_source option for details. See swa-report(1M) for 
information about the catalog_source option. 
The use of ${proxy} for this option value is substituted with the value of the proxy option 
(which is not set by default). 
52 SWA Manpages

-x https_proxy=${proxy} 
Usage: Advanced 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the HTTPS protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: https_proxy=http://web-proxy.mycompany.com:8088 
If username and password are specified as authentication credentials to your proxy server, 
HTTP basic authentication is used, which is a clear-text protocol, (that is, your password may 
be visible to others on your network). Also, credentials specified on the command-line are 
visible to other local users, and access to credentials stored in extended option files are 
determined by their permissions. If your proxy server requires another type of authentication, 
see the -x download_cmd option. 
The use of ${proxy} for this option value is substituted with the value of the proxy option 
(which is not set by default). 
-x http_proxy=${proxy} 
Usage: Advanced 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the HTTP protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: http_proxy=http://web-proxy.mycompany.com:8088 
The HTTP protocol is the default protocol used to download certificate revocation lists. See 
the crl_url option for more details. 
The use of ${proxy} for this option value is substituted with the value of the proxy option 
(which is not set by default). 
-x logfile=/var/opt/swa/swa.log 
Usage: Basic 
This is the path to the log file for this command. Each time SWA is run, this file will grow 
larger. This can be changed, for example, to a month-specific location for easier archiving, 
off-host backup, and rotation. 
-x log_verbosity=4 
Usage: Basic 
Specifies the level of message verbosity in the log file (See also -x verbosity). Legal values 
are: 
0 Only ERROR messages and the starting and ending BANNER messages. 
1 Adds WARNING messages. 
2 Adds NOTE messages. 
3 Adds INFO messages (informational messages preceded by the '*' character). 
4 Adds verbose INFO messages; this is the default. 
5 Adds very verbose INFO messages. 
-x preview=false 
Usage: Basic 
Specifies if swa get should be run in preview mode or not. If preview is set to false, do 
not run in preview mode. If preview is set to true, run this command in preview mode only 
(that is, complete the analysis phase and exit; no changes are committed to disk). Setting this 
option to true has the same effect as specifying -p on the command line. 
53

-x proxy= 
Usage: Basic 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the relevant protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: proxy=http://web-proxy.mycompany.com:8088 
If username and password are specified as authentication credentials to your proxy server, 
HTTP basic authentication is used, which is a clear-text protocol, (that is, your password may 
be visible to others on your network). Also, credentials specified on the command-line are 
visible to other local users, and access to credentials stored in extended option files are 
determined by their permissions. If your proxy server requires another type of authentication, 
see the -x download_cmd option. This option is used as the default for the other proxy 
settings. 
The HTTPS protocol is used for catalog download, the HTTP protocol is used to download 
the CRL, and the FTP protocol is used for patch download. The proxy= option controls the 
default for all three proxies. See the https_proxy option, the http_proxy option, and the 
ftp_proxy option for more details. 
-x swcache=/var/opt/swa/cache 
Usage: Basic 
This is the directory where SWA stores downloaded patches before putting them into a depot. 
The default location is only writable by root, so this value needs to be changed for a non-root 
user to be able to download software. Opening up permissions on the default location is not 
recommended. 
-x user_dir=~/.swa 
Usage: Basic 
The directory where SWA stores catalog, inventory, analysis, ignore, and report files. The 
default location is a subdirectory (.swa) of the user's home directory. This can be changed, 
for example, to allow archival of previous interim artifacts in a date-specific directory or 
off-host. Several other options default to a directory relative to this directory, so changing 
this option allows all of those locations to stay in synch relative to a common root. 
-x verbosity=3 
Usage: Basic 
Specifies the level of standard error verboseness: 
0 Only ERROR messages and the starting and ending BANNER messages. 
1 Adds WARNING messages. 
2 Adds NOTE messages. 
3 Adds INFO messages (informational messages preceded by the '*' character); this is the 
default. 
4 Adds verbose INFO messages. 
5 Adds very verbose INFO messages. 
Note: The -v option is equivalent to increasing verbosity by 1 (for example, from 3 to 4) 
and the -q option is equivalent to decreasing verbosity by 1. The -v and -q options can be 
used more than once. 
EXTERNAL INFLUENCES 
Environment Variables 
For compatibility with other applications (including security_patch_check), several 
environment variables can be used to configure how SWA connects to the Internet to retrieve 
catalogs, certificate revocation lists, and software. These environment variables include 
ftp_proxy, http_proxy, and https_proxy. 
54 SWA Manpages

These environment variables have the same effect as the corresponding extended options of the 
same names. The Extended Options section describes the usage and meaning of each option and 
the behavior if the same option is specified in multiple places. 
The proxy extended option cannot be specified as an environment variable, but may be a useful 
alternative if all protocols use the same proxy server at your site. 
The TMPDIR environment variable is also honored for local operations, if set. If this value is not 
set, the default of /var/opt/swa/tmp is used. This directory does not allow write operations 
for non-privileged users, so TMPDIR must be set by non-root users if a temporary directory is 
required for that operation. An example operation that uses this directory is unsharing of patch 
files. For older-style patches which do not honor TMPDIR, SWA rewrites the shar file so that 
TMPDIR will be honored before unpacking the patch. 
RETURN VALUE 
swa get returns the following values: 
0 Success 
1 Error 
2 Warning 
EXAMPLES 
To display swa get usage information: 
swa get -? 
To display usage and list all swa get extended options: 
swa get -x -? 
To run swa get using the options specified in the file ./myconfig: 
swa get -X ./myconfig 
To get patches from HP that are recommended in the default analysis file (from the previous 
swa report command) and place the results into the new depot mydepot: 
swa get -t mydepot 
To add newly recommended patches into the existing depot mydepot, only downloading patches 
from HP that are neither in mydepot nor previously downloaded: 
swa get -t mydepot -x allow_existing_depot=true 
To preview which patches need to be downloaded from HP and added to an existing depot 
without actually doing the work, and with increased verbosity: 
swa get -p -v -t mydepot -x allow_existing_depot=true 
AUTHOR 
swa was developed by HP. 
FILES 
/etc/opt/swa/swa.conf System-wide Software Assistant configuration file. 
/etc/opt/swa/swa.conf.template Template file that documents each -x option. 
$HOME/.swa.conf Per-user Software Assistant configuration file. 
/var/opt/swa/swa.log Default log file location for root users. For users without 
write permissions to the default log location, a swa.log 
file is created under the directory specified by the -x 
user_dir extended option. 
download.contents Lists all files downloaded from HP stored within the 
swcache, a directory specified by the swcache extended 
option. 
55

readBeforeInstall.txt Lists special installation instructions and other 
dependencies for the patches in the depot. Located in the 
root directory of the target depot. 
SEE ALSO 
swa(1M), swa-clean(1M), swa-report(1M), swa-step(1M). 
HP-UX Software Assistant System Administration Guide and HP-UX Software Assistant Release Notes 
at http://docs.hp.com. 
56 SWA Manpages

swa-report(1M) 
NAME 
swa-report: swa -- report software and security issues, and resolutions 
SYNOPSIS 
swa report [-a analyzer] [-r stdout_report_type] [-s inventory_source] 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
DESCRIPTION 
The swa report command inventories and analyzes a host system or some types of depots 
against a catalog of HP software and known issues (security and other defects). HP-UX Software 
Assistant (SWA) then generates three results: 
• A comprehensive HTML report saved in a file 
• A text report printed to standard output (report types include "action", "issue", or "detail") 
• An analysis results file that the swa get command uses 
Each of these results indicates the issues found and/or new software and fixes that Hewlett 
Packard recommends. 
Note: The format of these results is subject to change in a subsequent release of SWA. 
Security Considerations 
The analysis that swa report performs relies on the integrity of the inventory to determine the 
appropriate patches to install on the system. It is important that all protocols used to transmit 
the inventory data are integrity protected and that the host used to generate the inventory data 
is accurately represented. For example, use of swlist for gathering an inventory of a remote 
system uses a clear-text, unauthenticated protocol that does not protect the integrity of the data. 
Using Secure Shell to gather an inventory of a remote system uses an integrity protected (and 
encrypted) protocol. Even when using Secure Shell, the analysis still relies on the source of the 
data (the remote host) to accurately represent the software contents installed on that system. 
Options 
swa report recognizes the following options: 
-a analyzer Specifies an analyzer to use. Each analyzer represents a different 
type of analysis that swa can perform. You may specify multiple 
-a options. The supported analyzers are as follows: 
CRIT patches that fix critical 
problems 
PCW patches with critical 
warnings 
PW patches with warnings 
(a superset of PCW) 
QPK latest quality pack 
SEC security bulletins that 
may apply 
CHAIN=patchID[,patchID]* include patch or 
recommended successor 
PATCH=patchID[,patchID]* include specific patch. 
Note: Use of CHAIN is generally preferred. 
If the -a option is not specified, the QPK, SEC, and PCW 
analyzers are used. See also the -x analyzers extended 
option. 
57

-r stdout_report_type Specifies the type of report to display to standard output. Legal 
values are as follows: 
action (Default) Summary of recommended actions 
issue Summary of identified issues 
detail Recommended actions with issue justification 
html Comprehensive report in HTML format 
none No report is generated on standard output 
-s inventory_source Specify one system or depot to be inventoried, or an existing 
local inventory file to be analyzed and reported on. If this option 
is not specified, the local system is inventoried, analyzed and 
reported on. Supports Secure Shell (recommended for remote 
connections) and swlist (legacy) protocols for gathering 
inventory information. See the extended option 
inventory_source for more details. 
-q The verbosity level is decreased by one for each instance -q is 
specified. (See also the -x verbosity option.) 
-v The verbosity level is increased by one for each instance -v is 
specified. (See also the -x verbosity option.) 
-? Displays general usage. 
-option -? Describes the legal values for this option. If option is -x, all 
possible extended options are listed for the specified major 
mode (swa command). If no major mode is given, all extended 
options are listed for all the major modes. 
-x option=value Sets the extended option to a value. See the Extended Options 
definitions below. 
-x option=-? Describes the legal values for this option. 
-X option_file Gets the extended options from option_file. For a 
description and examples of syntax for this file, see the 
/etc/opt/swa/swa.conf.template file. 
Extended Options 
The extended options may be specified in different ways: on the command line using the -x 
option, in an option file specified using the -X option, or in one of the configuration files 
/etc/opt/swa/swa.conf (system wide) or $HOME/.swa.conf (user-specific). The 
/etc/opt/swa/swa.conf.template file provides example syntax for a configuration or -X 
file. 
If the same option is given in multiple locations, the following order is prioritized from highest 
to lowest: 
1. Options specified on the command line 
2. Options specified within an option file (-X option_file) 
3. Proxy environment variables (See the Environment Variable section.) 
4. Options specified within the $HOME/.swa.conf file 
5. Options specified within the /etc/opt/swa/swa.conf file 
6. Default value, specified in the descriptions of each option below in 
option_name=default_value format. 
Note: If the same option or extended option is given multiple times in the same location, the 
last option takes effect. If the option has a single letter equivalent (for example, -v and -x 
verbosity) and both are used on the command line, the single letter option generally takes 
precedence. If the single letter option affects an extended option that takes a list of arguments, 
specifying the single letter option multiple times will append to the list. 
swa report recognizes the following -x (extended) options, which are shown with their default 
values: 
58 SWA Manpages

-x analysis_file=${user_dir}/cache/swa_analysis.xml 
Usage: Basic 
The file containing the raw analysis results, including a list of software that should be 
downloaded from Hewlett-Packard in order to address the issues found by the analysis. Use 
this option to save the results from a specific analysis, and later reuse those results in order 
to download the corresponding software from HP. If you do not use the default location 
when the analysis file is created (swa report creates this file), be sure to specify that location 
when the analysis file is later used (swa get uses this file). 
Possible values include any absolute or relative path name with appropriate permissions. 
The use of ${user_dir} at the beginning of this option value is substituted with the value 
of the user_dir option (which defaults to $HOME/.swa). 
-x analyzers=QPK SEC PCW 
Usage: Basic 
Specifies a space-separated list (appropriately quoted for your shell if applicable) of analyzers 
to be used. Each analyzer represents a different type of analysis that swa can perform. The 
supported analyzers follow in two lists (generic and specific). 
Generic analyzers: 
CRIT patches that fix critical problems 
PCW patches with critical warnings 
PW patches with warnings (a superset of PCW) 
QPK latest quality pack 
SEC security bulletins that may apply 
Specific analyzers: 
CHAIN={patchID[,patchID]*} include patch or recommended successor 
PATCH={patchID[,patchID]*} include specific patch. 
Note: Use of CHAIN is generally preferred. 
Note: This option is equivalent to -a but is suitable for use within an extended options file 
(-X) or configuration file. 
-x catalog_max_age=24 
Usage: Intermediate 
Specifies the age, in hours, of the locally-cached copy of the HP software catalog before a 
new local copy should be obtained. If the local file becomes too old (based on the timestamp 
in the file), SWA tries to obtain a copy of the catalog from the catalog_source location. It 
is possible that the remote catalog is also too old (as determined by the timestamp in the file). 
For example, suppose catalog_max_age=2 and catalog_source specifies a location 
that gets updated daily from HP's website. In this case, the downloaded catalog is used, but 
will be updated every time SWA checks the catalog's age. 
Note: There are two special values, 0 and -1. The value of 0 signifies to always update the 
file. The value of -1 signifies to never update the file, regardless of age. 
-x catalog=${user_dir}/cache/swa_catalog.xml 
Usage: Intermediate 
The file containing a locally-cached copy of the catalog of available HP software and published 
security bulletins. 
Possible values include any absolute or relative path name with appropriate permissions. 
The use of ${user_dir} at the beginning of this option value is substituted with the value 
of the user_dir option (which defaults to $HOME/.swa). 
59

-x catalog_source=https://ftp.itrc.hp.com/wpsl/bin/doc.pl/ 
screen=wpslDownloadPatch/swa_catalog.xml.gz?PatchName= 
/export/patches/swa_catalog.xml.gz 
Usage: Intermediate 
A space-separated list of URLs (appropriately quoted for your shell if applicable) that controls 
the remote location and service to obtain the remote HP software catalog. The catalog contains 
a list of all potential issues, relevant software product updates and patches that address many 
issues, along with descriptions of manual actions that address some issues. HP frequently 
updates this catalog as new issues become known and as new actions are recommended. 
The following format is used to specify URLs: 
service://[user:password@]hostname.domainname:port 
Where service is one of the following methods for obtaining the remote catalog from HP: 
https Secure/authenticated HTTP 
http Unauthenticated HTTP 
ftp Unauthenticated FTP 
Note: The following are alternative, though less-secure, unauthenticated paths to the standard 
HP catalog file: 
http://ftp.itrc.hp.com/wpsl/bin/doc.pl/screen=wpslDownloadPatch/ 
swa_catalog.xml.gz?PatchName=/export/patches/swa_catalog.xml.gz 
ftp://ftp.itrc.hp.com/export/patches/swa_catalog.xml.gz 
-x crl_check=true 
Usage: Advanced 
When set to true, SWA will require the Certificate Revocation List (CRL) to be updated and 
checked for the trusted Certificate Authority (CA) certificate being used to validate the remote 
server. 
In the unlikely event that the private certificate of the server pointed to by the 
catalog_source option is suspected of being compromised, its certificate will be revoked, 
and added to a list of revoked certificates by the CA. See the catalog_source option. 
The CRL must be signed by the same certificate chain that signed the host certificate being 
checked. Checking the CRL requires regular downloads from the CA, which can lengthen 
the SWA run time. If you do not wish to validate a revocation list, set this to false. 
-x crl_url=http://crl.verisign.com/RSASecureServer.crl 
Usage: Advanced 
The URL of the CRL. See the crl_check option for more information. If you are behind a 
proxy server, then you will need to configure the proxy information for the protocol being 
used to download the CRL. 
-x download_cmd= 
Usage: Intermediate 
Specifies a command that can download a URL from the Internet. The command is enclosed 
in single quotes ('). This option is useful in cases where a system does not have a direct 
connection to the Internet, but can execute a command that can download a URL from the 
Internet (for example, by using a gateway machine). 
Using this option overrides many options which are used by the internal SWA download 
functionality, including proxy and CRL configuration. 
This command should take one option that is supplied by SWA (the URL of a file to 
download), and outputs that file to its standard output. If the actual command in your 
environment behaves differently, it can be wrapped by a shell script in order to provide the 
interface that SWA needs. 
The command needs to support the protocol specified by the catalog_source option 
(default HTTPS) for catalog retrieval and FTP for patch retrieval. See the catalog_source 
option. 
60 SWA Manpages

Note: Externally used commands are not necessarily supported by HP, but can give 
considerable flexibility for your environment. For example, some external commands can 
authenticate using Windows NT®-based domain passwords to a Microsoft® web proxy, 
which is not directly supported by SWA. 
The following command is an example: 
swa report -x download_cmd='ssh user@system curl' 
This command uses SSH (see ssh(1)) to run the curl command on a gateway system. The 
curl command is an open source tool that ships with several Linux distributions. curl may 
be configured, either using a configuration file on the gateway system or by command-line 
parameters specified as part of the download_cmd option. 
-x ftp_proxy=${proxy} 
Usage: Advanced 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the FTP protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: ftp_proxy=http://web-proxy.mycompany.com:8088 
The FTP protocol is used for patch download. Integrity of the patches is checked using MD5 
secure hashes in the catalog, for which the HTTPS protocol is recommended. See the 
https_proxy option and the catalog_source option for details. 
The use of ${proxy} for this option value is substituted with the value of the proxy option 
(which is not set by default). 
-x html_report=${user_dir}/report/swa_report.html 
Usage: Basic 
The file containing the HTML-formatted report that is generated by the swa report 
command. This is a single file with internal hyperlinks. The HTML report may be printed to 
standard output using the stdout_report_type option. 
The use of ${user_dir} at the beginning of this option value is substituted with the value 
of the user_dir option (which defaults to $HOME/.swa). 
-x https_proxy=${proxy} 
Usage: Advanced 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the HTTPS protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: https_proxy=http://web-proxy.mycompany.com:8088 
If username and password are specified as authentication credentials to your proxy server, 
HTTP basic authentication is used, which is a clear-text protocol, (that is, your password may 
be visible to others on your network). Also, credentials specified on the command-line are 
visible to other local users, and access to credentials stored in extended option files are 
determined by their permissions. If your proxy server requires another type of authentication, 
see the -x download_cmd option. 
The use of ${proxy} for this option value is substituted with the value of the proxy option 
(which is not set by default). 
-x http_proxy=${proxy} 
Usage: Advanced 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the HTTP protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
61

For example: http_proxy=http://web-proxy.mycompany.com:8088 
The HTTP protocol is the default protocol used to download certificate revocation lists. See 
the crl_url option for more details. 
The use of ${proxy} for this option value is substituted with the value of the proxy option 
(which is not set by default). 
-x ignore_file=${user_dir}/ignore 
Usage: Basic 
Files containing regular expressions, indicating which issues to ignore. Each issue is matched 
by a regular expression (see regexp(5)), and is ignored by the analysis. That is, whether or not 
the host or depot being analyzed have the identified issue, that issue will not appear on the 
report. In addition, software will not be selected for download to address the issue. The 
software may still be selected to address a different issue. 
When a user first runs SWA, if this file does not exist, a template file is created, which contains 
instructions on how to use this file. Upon creation, if a ~/.spc_ignore file exists, it is 
translated into the SWA format and appended to the template. 
The use of ${user_dir} at the beginning of this option value is substituted with the value 
of the user_dir option (which defaults to $HOME/.swa). 
-x inventory_max_age=24 
Usage: Intermediate 
Specifies the age, in hours, of the cached copy of the inventory contents of a given system. If 
the inventory becomes too old (based on the timestamp stored in the file), SWA will inventory 
the host system/depot again. 
Note: There are two special values, 0 and -1. The value of 0 signifies to always update the 
file. The value of -1 signifies to never update the file, regardless of age. 
-x inventory_source=localhost 
Usage: Basic 
Note: This release supports only one system, depot (limited use cases), or inventory file for 
analysis per invocation of SWA. This option is useful for analyzing a remote system without 
installing SWA on that system. 
Specify one of the following: a host system or depot to be inventoried, analyzed, and reported 
on; or an existing inventory file to be analyzed and reported on. 
Specify source as a URL using one of the following formats: 
hostname 
System specification, uses unauthenticated swlist protocol to gather the host inventory. 
[hostname:]full-path-to-depot 
Depot specification, also uses swlist protocol (limited use cases). 
ssh://[user@]hostname[:full-path-to-depot] 
SSH specification to system or depot, uses SSH to contact host and local swlist of the 
system or depot. 
The inventory information is cached for later access in a cache directory within the 
user_dir. Naming of the inventory files is based on the hostname and path-to-depot 
as specified (for example, using the fully qualified domain name of a host will be cached 
separately from using the node name, even for the same machine). Refresh of the cached 
inventory for each inventory_source is determined by the inventory_max_age 
option. 
Note: This option is equivalent to -s but is suitable for use within an extended options 
file (-X) or configuration file. 
[file://]full-path-to-inventory-file] 
Inventory file specification, must be a local file. 
If an argument is specified in such a way that it could be interpreted as either a system 
name or a file name, it will be assumed to be a system name. For example, if foo is the 
62 SWA Manpages

argument, then it will be interpreted as a system named foo. Alternatively, if ./foo is 
the argument, then it will be interpreted as an inventory file named foo residing in the 
current directory. 
If an inventory file name is not specified, the inventory information is cached for later 
access in a cache directory within the user_dir. Naming of these cached inventory files 
is based on the hostname and path-to-depot as specified (e.g. using the fully qualified 
domain name of a host will be cached separately from using the node name, even for the 
same machine). Refresh of the cached inventory for each inventory_source is 
determined by the inventory_max_age option. 
The following option specifications are examples: 
System specification: 
-x inventory_source=ssh://user@host.example.com 
Depot specification: 
-x inventory_source=ssh://host.example.com/var/spool/sw 
Inventory file specification: 
-x inventory_source=file:///home/user/local_inventory.xml 
Note: This option is equivalent to -s but is suitable for use within an extended options 
file (-X) or configuration file. 
-x logfile=/var/opt/swa/swa.log 
Usage: Basic 
This is the path to the log file for this command. Each time SWA is run, this file will grow 
larger. This can be changed, for example, to a month-specific location for easier archiving, 
off-host backup, and rotation. 
-x log_verbosity=4 
Usage: Basic 
Specifies the level of message verbosity in the log file (See also -x verbosity). Legal values 
are: 
0 Only ERROR messages and the starting and ending BANNER messages. 
1 Adds WARNING messages. 
2 Adds NOTE messages. 
3 Adds INFO messages (informational messages preceded by the '*' character). 
4 Adds verbose INFO messages; this is the default. 
5 Adds very verbose INFO messages. 
-x proxy= 
Usage: Basic 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the relevant protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: proxy=http://web-proxy.mycompany.com:8088 
If username and password are specified as authentication credentials to your proxy server, 
HTTP basic authentication is used, which is a clear-text protocol, (that is, your password may 
be visible to others on your network). Also, credentials specified on the command-line are 
visible to other local users, and access to credentials stored in extended option files are 
determined by their permissions. If your proxy server requires another type of authentication, 
see the -x download_cmd option. This option is used as the default for the other proxy 
settings. 
The HTTPS protocol is used for catalog download, the HTTP protocol is used to download 
the CRL, and the FTP protocol is used for patch download. The proxy= option controls the 
63

default for all three proxies. See the https_proxy option, the http_proxy option, and the 
ftp_proxy option for more details. 
-x report_when_no_issues=true 
Usage: Intermediate 
Controls whether SWA will produce a report to standard output when there are no issues 
and/or actions. This is useful, for example, in a cron job where you want email sent to you 
only if there is an issue found. 
true A standard output report is always produced. 
false A standard output report is only produced if there are issues and/or actions. 
Hint: To check for error status, use the exit code of the command and check the logfile for 
details. 
-x ssh_options= 
Usage: Intermediate 
Options to be passed to ssh. Multiple options may, be included as a space-delimited list. For 
example, if you are using SWA in a cronjob, you may want to specify '-o BatchMode=yes' 
to return immediately upon failure, rather than prompting for a password. 
See ssh_config(5) for additional options. 
-x stdout_report_type=action 
Usage: Basic 
Type of report to display on standard output. This is useful for controlling what type of 
output you would like to see. Legal values are: 
action Summary of recommended actions 
issue Summary of identified issues 
detail Recommended actions with issue justification 
html Comprehensive HTML report 
none No report 
-x user_dir=~/.swa 
Usage: Basic 
The directory where SWA stores catalog, inventory, analysis, ignore, and report files. The 
default location is a subdirectory (.swa) of the user's home directory. This can be changed, 
for example, to allow archival of previous interim artifacts in a date-specific directory or 
off-host. Several other options default to a directory relative to this directory, so changing 
this option allows all of those locations to stay in synch relative to a common root. 
-x verbosity=3 
Usage: Basic 
Specifies the level of standard error verboseness: 
0 Only ERROR messages and the starting and ending BANNER messages. 
1 Adds WARNING messages. 
2 Adds NOTE messages. 
3 Adds INFO messages (informational messages preceded by the '*' character); this is the 
default. 
4 Adds verbose INFO messages. 
5 Adds very verbose INFO messages. 
Note: The -v option is equivalent to increasing verbosity by 1 (for example, from 3 to 4) 
and the -q option is equivalent to decreasing verbosity by 1. The -v and -q options can be 
used more than once. 
64 SWA Manpages

EXTERNAL INFLUENCES 
Environment Variables 
For compatibility with other applications (including security_patch_check), several 
environment variables can be used to configure how SWA connects to the Internet to retrieve 
catalogs, certificate revocation lists, and software. These environment variables include 
ftp_proxy, http_proxy, and https_proxy. 
These environment variables have the same effect as the corresponding extended options of the 
same names. The Extended Options section describes the usage and meaning of each option and 
the behavior if the same option is specified in multiple places. 
The proxy extended option cannot be specified as an environment variable, but may be a useful 
alternative if all protocols use the same proxy server at your site. 
The TMPDIR environment variable is also honored for local operations, if set. If this value is not 
set, the default of /var/opt/swa/tmp is used. This directory does not allow write operations 
for non-privileged users, so TMPDIR must be set by non-root users if a temporary directory is 
required for that operation. An example operation that uses this directory is unsharing of patch 
files. For older-style patches which do not honor TMPDIR, SWA rewrites the shar file so that 
TMPDIR will be honored before unpacking the patch. 
RETURN VALUE 
swa report returns the following values: 
0 Success 
1 Error 
2 Warning 
EXAMPLES 
To display swa report usage information: 
swa report -? 
To display usage and list all swa report extended options: 
swa report -x -? 
To run swa report using the options specified in the file ./myconfig: 
swa report -X ./myconfig 
To inventory the local system, analyze it against an HP-supplied catalog (of known software and 
issues) for newer Quality Pack patch bundles, security issues, and critical patch warnings, and 
then generate a default standard output "action" report: 
swa report 
To create a report for security issues (SEC) for a remote system inventory gathered with Secure 
Shell, and running ssh in batchmode to avoid being prompted for user input: 
swa report -a SEC -s ssh://user@remotesystem \ 
-x ssh_options='-o batchmode=yes' 
To create a detailed report for remotesystem, limited in scope to Quality Pack patch bundle 
analysis (QPK) and patches with critical warnings (PCW). This example uses the swlist 
networking protocol, which is not integrity protected. 
swa report -a QPK -a PCW -s remotesystem -r detail 
To do the same task as the previous example, using the extended option equivalents (which can 
be specified on the command line, in a user or system configuration file, or in an extended options 
file): 
swa report -x analyzers='QPK PCW' \ 
-x inventory_source=remotesystem -x stdout_report_type=detail 
To generate a report and place the analysis results in the ~/firstanalysis.xml file (for later 
use by swa get): 
65

swa report -x analysis_file=~/firstanalysis.xml 
To generate a report, updating the catalog of HP software if it is more than 48 hours old: 
swa report -x catalog_max_age=48 
To generate a report using a specified catalog of HP software without updating that catalog: 
swa report -x catalog=~/mycatalog.xml -x catalog_max_age=-1 
To generate a report always updating the catalog of HP software: 
swa report -x catalog_max_age=0 
AUTHOR 
swa was developed by HP. 
FILES 
/etc/opt/swa/swa.conf System-wide Software Assistant configuration file. 
/etc/opt/swa/swa.conf.template Template file that documents each -x option. 
$HOME/.swa.conf Per-user Software Assistant configuration file. 
/var/opt/swa/swa.log Default log file location for root users. For users without 
write permissions to the default log location, a swa.log 
file is created under the directory specified by the -x 
user_dir extended option. 
ignore Lists issue IDs to be ignored (for example, they are 
completed or not applicable). Supports comments and 
regular expressions. See regexp(5). 
SEE ALSO 
swa(1M), swa-clean(1M), swa-get(1M), swa-step(1M). 
HP-UX Software Assistant System Administration Guide and HP-UX Software Assistant Release Notes 
at http://docs.hp.com. 
66 SWA Manpages

swa-step(1M) 
NAME 
swa-step: swa -- advanced control of Software Assistant execution steps 
SYNOPSIS 
swa step inventory [-s inventory_source] 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
swa step catalog 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
swa step analyze [-a analyzer] [-s inventory_source] 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
swa step report [-r stdout_report_type] 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
swa step download [-p] [-t target_depot] 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
swa step depot [-p] -t target_depot 
[-q [q[q]]] [-v[v]] [[-option] -?] [-x option=[value|-?]] [-X option_file] 
DESCRIPTION 
The swa step command supports many advanced use cases. The swa report and swa get 
commands are actually made up of multiple steps. swa step allows a single step of these 
commands to be executed. For example, swa report normally executes the following steps (in 
order): inventory, catalog, analyze, and report. The swa step report command can be used 
to create different standard output reports, without having to redo analysis. Additional examples 
and use cases, are provided below. 
swa step inventory Create an inventory of the software installed on a system or resident 
in a depot. This inventory is stored in the cache subdirectory of 
the directory specified by the user_dir extended option (the 
filename is of the form "swa_inventory_<number>.xml"). Example 
use case: If the system-to-be-analyzed and the analysis system are 
on isolated networks, run swa step inventory on the 
to-be-analyzed system to create an inventory file. Then copy that 
file (for example, burn a CD) to the cache directory on the analysis 
system. 
swa step catalog Download a catalog of meta data about potential issues and their 
recommended resolutions. This catalog is stored in the cache 
directory of the directory specified by the user_dir extended 
option (the default filename is swa_catalog.xml). Example use 
case: If the system to perform analysis has no access to the Internet, 
manually download the catalog to a system with Internet access. 
Then copy the catalog (for example, on a USB drive) to the cache 
directory on the analysis system. 
swa step analyze Given the results of running swa step inventory and swa 
step catalog, analyze the inventory and come up with 
recommended resolutions to the issues found (see the Security 
Considerations section). The analysis results are stored in the cache 
directory of the directory specified by the user_dir extended 
option (the default filename is swa_analysis.xml). Example use 
case: Run swa step analyze at different times, each time 
specifying a different set of analyzers and a different analysis file. 
swa step report Given the results of running swa step analyze, format a report. 
Example use case: Run swa step report at different times, each 
time specifying a different standard output report format. Another 
67

example is running it at different times on each analysis file created 
by different runs of swa step analyze. 
swa step download Given the results of running swa step analyze, download 
software recommended by the analysis (in the analysis file). The 
software is downloaded into a directory controlled by the swcache 
extended option. Example use case: If the analysis system does not 
have Internet access, copy the analysis file to a system with Internet 
access, and run the swa step download command on that system. 
swa step depot Given the results of running swa step analyze and swa step 
download, unpack and copy the downloaded software into a depot. 
Depending on the extended options used, a new depot is created 
or an existing depot is added to. Example use case: If a depot server 
system does not have Internet access, use swa step download 
to get software on your intranet. Then copy the software to the 
swcache directory on your depot server and use swa step depot 
to unpack the downloaded software and create your depot. 
Security Considerations 
The analysis that swa step performs relies on the integrity of the inventory to determine the 
appropriate patches to install on the system. It is important that all protocols used to transmit 
the inventory data are integrity protected and that the host used to generate the inventory data 
is accurately represented. For example, use of swlist for gathering an inventory of a remote 
system uses a clear-text, unauthenticated protocol that does not protect the integrity of the data. 
Using Secure Shell to gather an inventory of a remote system uses an integrity protected (and 
encrypted) protocol. Even when using Secure Shell, the analysis still relies on the source of the 
data (the remote host) to accurately represent the software contents installed on that system. 
Software download (swa step download) relies on the integrity of the analysis file to ensure 
the integrity of patches before unpacking them. The analysis file gets MD5 checksum information 
directly from the catalog. Therefore it is important that all transmissions of the catalog and/or 
analysis file are integrity protected and that file permissions do not allow unnecessary 
modification. 
Depot creation (swa step depot) relies on the integrity of the patches within the swcache 
directory. Therefore, after unpacking the patches, it is important that all subsequent transmissions 
of the patches are integrity protected and that file permissions do not allow unauthorized 
modification. Deploying software using Software Distributor (using the swinstall command) 
has security properties that are documented in the Software Distributor Administration Guide. 
Options 
swa step recognizes the following options: 
-a analyzer Specifies an analyzer to use. Each analyzer represents a different 
type of analysis that swa can perform. You may specify multiple 
-a options. The supported analyzers are as follows: 
CRIT patches that fix critical 
problems 
PCW patches with critical 
warnings 
PW patches with warnings 
(a superset of PCW) 
QPK latest quality pack 
SEC security bulletins that 
may apply 
CHAIN=patchID[,patchID]* include patch or 
recommended successor 
PATCH=patchID[,patchID]* include specific patch. 
Note: Use of CHAIN is generally preferred. 
68 SWA Manpages

If the -a option is not specified, the QPK, SEC, and PCW 
analyzers are used. See also the -x analyzers extended 
option. 
-p Runs this command in preview mode. 
-r stdout_report_type Specifies the type of report to display to standard output. Legal 
values are as follows: 
action (Default) Summary of recommended actions 
issue Summary of identified issues 
detail Recommended actions with issue justification 
html Comprehensive report in HTML format 
none No report is generated on standard output 
-s inventory_source Specify one system or depot to be inventoried, or an existing 
local inventory file to be analyzed and reported on. If this option 
is not specified, the local system is inventoried, analyzed and 
reported on. Supports Secure Shell (recommended for remote 
connections) and swlist (legacy) protocols for gathering 
inventory information. See the extended option 
inventory_source for more details. 
-t target_depot The depot that software is copied into as specified by 
target_depot. This is where patches from HP are copied 
into. Normally, the target_depot should be empty and a 
new depot will be created. If the depot already exists, you must 
specify the advanced option -x 
allow_existing_depot=true and understand its 
implications. (See also the -x allow_existing_depot 
option in Extended Options). 
-q The verbosity level is decreased by one for each instance -q is 
specified. (See also the -x verbosity option.) 
-v The verbosity level is increased by one for each instance -v is 
specified. (See also the -x verbosity option.) 
-? Displays general usage. 
-option -? Describes the legal values for this option. If option is -x, all 
possible extended options are listed for the specified major 
mode (swa command). If no major mode is given, all extended 
options are listed for all the major modes. 
-x option=value Sets the extended option to a value. See the Extended Options 
definitions below. 
-x option=-? Describes the legal values for this option. 
-X option_file Gets the extended options from option_file. For a 
description and examples of syntax for this file, see the 
/etc/opt/swa/swa.conf.template file. 
Extended Options 
The extended options may be specified in different ways: on the command line using the -x 
option, in an option file specified using the -X option, or in one of the configuration files 
/etc/opt/swa/swa.conf (system wide) or $HOME/.swa.conf (user-specific). The 
/etc/opt/swa/swa.conf.template file provides example syntax for a configuration or -X 
file. 
If the same option is given in multiple locations, the following order is prioritized from highest 
to lowest: 
1. Options specified on the command line 
2. Options specified within an option file (-X option_file) 
69

3. Proxy environment variables (See the Environment Variable section.) 
4. Options specified within the $HOME/.swa.conf file 
5. Options specified within the /etc/opt/swa/swa.conf file 
6. Default value, specified in the descriptions of each option below in 
option_name=default_value format. 
Note: If the same option or extended option is given multiple times in the same location, the 
last option takes effect. If the option has a single letter equivalent (for example, -v and -x 
verbosity) and both are used on the command line, the single letter option generally takes 
precedence. If the single letter option affects an extended option that takes a list of arguments, 
specifying the single letter option multiple times will append to the list. 
swa step recognizes the following -x (extended) options which are shown with their default 
values: 
-x allow_existing_depot=false 
Usage: Advanced 
Applicable steps: download depot 
Determines whether the target depot must be empty at the start of the command, or can be 
an existing depot. SWA does not perform any analysis of the depot contents. By specifying 
this option, you accept responsibility for the contents of this depot. 
true Target depot can exist (it is non-empty). 
false Target depot must be empty at the start of the command. 
-x analysis_file=${user_dir}/cache/swa_analysis.xml 
Usage: Basic 
Applicable steps: analyze report download depot 
The file containing the raw analysis results, including a list of software that should be 
downloaded from Hewlett-Packard in order to address the issues found by the analysis. Use 
this option to save the results from a specific analysis, and later reuse those results in order 
to download the corresponding software from HP. If you do not use the default location 
when the analysis file is created (swa report creates this file), be sure to specify that location 
when the analysis file is later used (swa get uses this file). 
Possible values include any absolute or relative path name with appropriate permissions. 
The use of ${user_dir} at the beginning of this option value is substituted with the value 
of the user_dir option (which defaults to $HOME/.swa). 
-x analyzers=QPK SEC PCW 
Usage: Basic 
Applicable steps: analyze 
Specifies a space-separated list (appropriately quoted for your shell if applicable) of analyzers 
to be used. Each analyzer represents a different type of analysis that swa can perform. The 
supported analyzers follow in two lists (generic and specific). 
Generic analyzers: 
CRIT patches that fix critical problems 
PCW patches with critical warnings 
PW patches with warnings (a superset of PCW) 
QPK latest quality pack 
SEC security bulletins that may apply 
Specific analyzers: 
CHAIN={patchID[,patchID]*} include patch or recommended successor 
PATCH={patchID[,patchID]*} include specific patch. 
Note: Use of CHAIN is generally preferred. 
70 SWA Manpages

Note: This option is equivalent to -a but is suitable for use within an extended options file 
(-X) or configuration file. 
-x catalog_max_age=24 
Usage: Intermediate 
Applicable steps: catalog 
Specifies the age, in hours, of the locally-cached copy of the HP software catalog before a 
new local copy should be obtained. If the local file becomes too old (based on the timestamp 
in the file), SWA tries to obtain a copy of the catalog from the catalog_source location. It 
is possible that the remote catalog is also too old (as determined by the timestamp in the file). 
For example, suppose catalog_max_age=2 and catalog_source specifies a location 
that gets updated daily from HP's website. In this case, the downloaded catalog is used, but 
will be updated every time SWA checks the catalog's age. 
Note: There are two special values, 0 and -1. The value of 0 signifies to always update the 
file. The value of -1 signifies to never update the file, regardless of age. 
-x catalog=${user_dir}/cache/swa_catalog.xml 
Usage: Intermediate 
Applicable steps: catalog analyze 
The file containing a locally-cached copy of the catalog of available HP software and published 
security bulletins. 
Possible values include any absolute or relative path name with appropriate permissions. 
The use of ${user_dir} at the beginning of this option value is substituted with the value 
of the user_dir option (which defaults to $HOME/.swa). 
-x catalog_source=https://ftp.itrc.hp.com/wpsl/bin/doc.pl/ 
screen=wpslDownloadPatch/swa_catalog.xml.gz?PatchName= 
/export/patches/swa_catalog.xml.gz 
Usage: Intermediate 
Applicable steps: catalog 
A space-separated list of URLs (appropriately quoted for your shell if applicable) that controls 
the remote location and service to obtain the remote HP software catalog. The catalog contains 
a list of all potential issues, relevant software product updates and patches that address many 
issues, along with descriptions of manual actions that address some issues. HP frequently 
updates this catalog as new issues become known and as new actions are recommended. 
The following format is used to specify URLs: 
service://[user:password@]hostname.domainname:port 
Where service is one of the following methods for obtaining the remote catalog from HP: 
https Secure/authenticated HTTP 
http Unauthenticated HTTP 
ftp Unauthenticated FTP 
Note: The following are alternative, though less-secure, unauthenticated paths to the standard 
HP catalog file: 
http://ftp.itrc.hp.com/wpsl/bin/doc.pl/screen=wpslDownloadPatch/ 
swa_catalog.xml.gz?PatchName=/export/patches/swa_catalog.xml.gz 
ftp://ftp.itrc.hp.com/export/patches/swa_catalog.xml.gz 
-x crl_check=true 
Usage: Advanced 
Applicable steps: catalog download 
When set to true, SWA will require the Certificate Revocation List (CRL) to be updated and 
checked for the trusted Certificate Authority (CA) certificate being used to validate the remote 
server. 
71

In the unlikely event that the private certificate of the server pointed to by the 
catalog_source option is suspected of being compromised, its certificate will be revoked, 
and added to a list of revoked certificates by the CA. See the catalog_source option. 
The CRL must be signed by the same certificate chain that signed the host certificate being 
checked. Checking the CRL requires regular downloads from the CA, which can lengthen 
the SWA run time. If you do not wish to validate a revocation list, set this to false. 
-x crl_url=http://crl.verisign.com/RSASecureServer.crl 
Usage: Advanced 
Applicable steps: catalog download 
The URL of the CRL. See the crl_check option for more information. If you are behind a 
proxy server, then you will need to configure the proxy information for the protocol being 
used to download the CRL. 
-x download_cmd= 
Usage: Intermediate 
Applicable steps: catalog download 
Specifies a command that can download a URL from the Internet. The command is enclosed 
in single quotes ('). This option is useful in cases where a system does not have a direct 
connection to the Internet, but can execute a command that can download a URL from the 
Internet (for example, by using a gateway machine). 
Using this option overrides many options which are used by the internal SWA download 
functionality, including proxy and CRL configuration. 
This command should take one option that is supplied by SWA (the URL of a file to 
download), and outputs that file to its standard output. If the actual command in your 
environment behaves differently, it can be wrapped by a shell script in order to provide the 
interface that SWA needs. 
The command needs to support the protocol specified by the catalog_source option 
(default HTTPS) for catalog retrieval and FTP for patch retrieval. See the catalog_source 
option. 
Note: Externally used commands are not necessarily supported by HP, but can give 
considerable flexibility for your environment. For example, some external commands can 
authenticate using Windows NT®-based domain passwords to a Microsoft® web proxy, 
which is not directly supported by SWA. 
The following command is an example: 
swa report -x download_cmd='ssh user@system curl' 
This command uses SSH (see ssh(1)) to run the curl command on a gateway system. The 
curl command is an open source tool that ships with several Linux distributions. curl may 
be configured, either using a configuration file on the gateway system or by command-line 
parameters specified as part of the download_cmd option. 
-x ftp_proxy=${proxy} 
Usage: Advanced 
Applicable steps: catalog download 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the FTP protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: ftp_proxy=http://web-proxy.mycompany.com:8088 
The FTP protocol is used for patch download. Integrity of the patches is checked using MD5 
secure hashes in the catalog, for which the HTTPS protocol is recommended. See the 
https_proxy option and the catalog_source option for details. 
The use of ${proxy} for this option value is substituted with the value of the proxy option 
(which is not set by default). 
72 SWA Manpages

-x html_report=${user_dir}/report/swa_report.html 
Usage: Basic 
Applicable steps: report 
The file containing the HTML-formatted report that is generated by the swa report 
command. This is a single file with internal hyperlinks. The HTML report may be printed to 
standard output using the stdout_report_type option. 
The use of ${user_dir} at the beginning of this option value is substituted with the value 
of the user_dir option (which defaults to $HOME/.swa). 
-x https_proxy=${proxy} 
Usage: Advanced 
Applicable steps: catalog download 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the HTTPS protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: https_proxy=http://web-proxy.mycompany.com:8088 
If username and password are specified as authentication credentials to your proxy server, 
HTTP basic authentication is used, which is a clear-text protocol, (that is, your password may 
be visible to others on your network). Also, credentials specified on the command-line are 
visible to other local users, and access to credentials stored in extended option files are 
determined by their permissions. If your proxy server requires another type of authentication, 
see the -x download_cmd option. 
The use of ${proxy} for this option value is substituted with the value of the proxy option 
(which is not set by default). 
-x http_proxy=${proxy} 
Usage: Advanced 
Applicable steps: catalog download 
Proxy host and port (with optional HTTP basic authentication username and password) for 
accessing content using the HTTP protocol. No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: http_proxy=http://web-proxy.mycompany.com:8088 
The HTTP protocol is the default protocol used to download certificate revocation lists. See 
the crl_url option for more details. 
The use of ${proxy} for this option value is substituted with the value of the proxy option 
(which is not set by default). 
-x ignore_file=${user_dir}/ignore 
Usage: Basic 
Applicable steps: analyze 
Files containing regular expressions, indicating which issues to ignore. Each issue is matched 
by a regular expression (see regexp(5)), and is ignored by the analysis. That is, whether or not 
the host or depot being analyzed have the identified issue, that issue will not appear on the 
report. In addition, software will not be selected for download to address the issue. The 
software may still be selected to address a different issue. 
When a user first runs SWA, if this file does not exist, a template file is created, which contains 
instructions on how to use this file. Upon creation, if a ~/.spc_ignore file exists, it is 
translated into the SWA format and appended to the template. 
The use of ${user_dir} at the beginning of this option value is substituted with the value 
of the user_dir option (which defaults to $HOME/.swa). 
73

-x inventory_max_age=24 
Usage: Intermediate 
Applicable steps: inventory 
Specifies the age, in hours, of the cached copy of the inventory contents of a given system. If 
the inventory becomes too old (based on the timestamp stored in the file), SWA will inventory 
the host system/depot again. 
Note: There are two special values, 0 and -1. The value of 0 signifies to always update the 
file. The value of -1 signifies to never update the file, regardless of age. 
-x inventory_source=localhost 
Usage: Basic 
Note: This release supports only one system, depot (limited use cases), or inventory file for 
analysis per invocation of SWA. This option is useful for analyzing a remote system without 
installing SWA on that system. 
Specify one of the following: a host system or depot to be inventoried, analyzed, and reported 
on; or an existing inventory file to be analyzed and reported on. 
Specify source as a URL using one of the following formats: 
hostname 
System specification, uses unauthenticated swlist protocol to gather the host inventory. 
[hostname:]full-path-to-depot 
Depot specification, also uses swlist protocol (limited use cases). 
ssh://[user@]hostname[:full-path-to-depot] 
SSH specification to system or depot, uses SSH to contact host and local swlist of the 
system or depot. 
The inventory information is cached for later access in a cache directory within the 
user_dir. Naming of the inventory files is based on the hostname and path-to-depot 
as specified (for example, using the fully qualified domain name of a host will be cached 
separately from using the node name, even for the same machine). Refresh of the cached 
inventory for each inventory_source is determined by the inventory_max_age 
option. 
Note: This option is equivalent to -s but is suitable for use within an extended options 
file (-X) or configuration file. 
[file://]full-path-to-inventory-file] 
Inventory file specification, must be a local file. 
If an argument is specified in such a way that it could be interpreted as either a system 
name or a file name, it will be assumed to be a system name. For example, if foo is the 
argument, then it will be interpreted as a system named foo. Alternatively, if ./foo is 
the argument, then it will be interpreted as an inventory file named foo residing in the 
current directory. 
If an inventory file name is not specified, the inventory information is cached for later 
access in a cache directory within the user_dir. Naming of these cached inventory files 
is based on the hostname and path-to-depot as specified (e.g. using the fully qualified 
domain name of a host will be cached separately from using the node name, even for the 
same machine). Refresh of the cached inventory for each inventory_source is 
determined by the inventory_max_age option. 
The following option specifications are examples: 
System specification: 
-x inventory_source=ssh://user@host.example.com 
Depot specification: 
-x inventory_source=ssh://host.example.com/var/spool/sw 
Inventory file specification: 
74 SWA Manpages

-x inventory_source=file:///home/user/local_inventory.xml 
Note: This option is equivalent to -s but is suitable for use within an extended options 
file (-X) or configuration file. 
-x logfile=/var/opt/swa/swa.log 
Usage: Basic 
Applicable steps: catalog inventory analyze report download depot 
This is the path to the log file for this command. Each time SWA is run, this file will grow 
larger. This can be changed, for example, to a month-specific location for easier archiving, 
off-host backup, and rotation. 
-x log_verbosity=4 
Usage: Basic 
Applicable steps: catalog inventory analyze report download depot 
Specifies the level of message verbosity in the log file (See also -x verbosity). Legal values 
are: 
0 Only ERROR messages and the starting and ending BANNER messages. 
1 Adds WARNING messages. 
2 Adds NOTE messages. 
3 Adds INFO messages (informational messages preceded by the '*' character). 
4 Adds verbose INFO messages; this is the default. 
5 Adds very verbose INFO messages. 
-x preview=false 
Usage: Basic 
Applicable steps: download depot 
Specifies if swa step should be run in preview mode or not. If preview is set to false, do 
not run in preview mode. If preview is set to true, run this command in preview mode only 
(that is, complete the analysis phase and exit; no changes are committed to disk). Setting this 
option to true has the same effect as specifying -p on the command line. 
-x proxy= 
Usage: Basic 
Applicable steps: catalog download Proxy host and port (with optional HTTP basic 
authentication username and password) for accessing content using the relevant protocol. 
No proxy information is specified by default. 
The following format is used: 
service://[user:password@]proxy-server:port 
For example: proxy=http://web-proxy.mycompany.com:8088 
If username and password are specified as authentication credentials to your proxy server, 
HTTP basic authentication is used, which is a clear-text protocol, (that is, your password may 
be visible to others on your network). Also, credentials specified on the command-line are 
visible to other local users, and access to credentials stored in extended option files are 
determined by their permissions. If your proxy server requires another type of authentication, 
see the -x download_cmd option. This option is used as the default for the other proxy 
settings. 
The HTTPS protocol is used for catalog download, the HTTP protocol is used to download 
the CRL, and the FTP protocol is used for patch download. The proxy= option controls the 
default for all three proxies. See the https_proxy option, the http_proxy option, and the 
ftp_proxy option for more details. 
-x report_when_no_issues=true 
Usage: Intermediate 
Applicable steps: report 
75

Controls whether SWA will produce a report to standard output when there are no issues 
and/or actions. This is useful, for example, in a cron job where you want email sent to you 
only if there is an issue found. 
true A standard output report is always produced. 
false A standard output report is only produced if there are issues and/or actions. 
Hint: To check for error status, use the exit code of the command and check the logfile for 
details. 
-x ssh_options= 
Usage: Intermediate 
Applicable steps: inventory 
Options to be passed to ssh. Multiple options may, be included as a space-delimited list. For 
example, if you are using SWA in a cronjob, you may want to specify '-o BatchMode=yes' 
to return immediately upon failure, rather than prompting for a password. 
See ssh_config(5) for additional options. 
-x stdout_report_type=action 
Usage: Basic 
Applicable steps: report 
Type of report to display on standard output. This is useful for controlling what type of 
output you would like to see. Legal values are: 
action Summary of recommended actions 
issue Summary of identified issues 
detail Recommended actions with issue justification 
html Comprehensive HTML report 
none No report 
-x swcache=/var/opt/swa/cache 
Usage: Basic 
Applicable steps: download depot 
This is the directory where SWA stores downloaded patches before putting them into a depot. 
The default location is only writable by root, so this directory needs to be changed for a 
non-root user to be able to download software. Opening up permissions on the default 
location is not recommended. 
-x user_dir=~/.swa 
Usage: Basic 
Applicable steps: catalog inventory analyze report download depot 
The directory where SWA stores catalog, inventory, analysis, ignore, and report files. The 
default location is a subdirectory (.swa) of the user's home directory. This can be changed, 
for example, to allow archival of previous interim artifacts in a date-specific directory or 
off-host. Several other options default to a directory relative to this directory, so changing 
this option allows all of those locations to stay in synch relative to a common root. 
-x verbosity=3 
Usage: Basic 
Applicable steps: catalog inventory analyze report download depot 
Specifies the level of standard error verboseness: 
0 Only ERROR messages and the starting and ending BANNER messages. 
1 Adds WARNING messages. 
2 Adds NOTE messages. 
3 Adds INFO messages (informational messages preceded by the '*' character); this is the 
default. 
4 Adds verbose INFO messages. 
76 SWA Manpages

5 Adds very verbose INFO messages. 
Note: The -v option is equivalent to increasing verbosity by 1 (for example, from 3 to 4) 
and the -q option is equivalent to decreasing verbosity by 1. The -v and -q options can be 
used more than once. 
EXTERNAL INFLUENCES 
Environment Variables 
For compatibility with other applications (including security_patch_check), several 
environment variables can be used to configure how SWA connects to the Internet to retrieve 
catalogs, certificate revocation lists, and software. These environment variables include 
ftp_proxy, http_proxy, and https_proxy. 
These environment variables have the same effect as the corresponding extended options of the 
same names. The Extended Options section describes the usage and meaning of each option and 
the behavior if the same option is specified in multiple places. 
The proxy extended option cannot be specified as an environment variable, but may be a useful 
alternative if all protocols use the same proxy server at your site. 
The TMPDIR environment variable is also honored for local operations, if set. If this value is not 
set, the default of /var/opt/swa/tmp is used. This directory does not allow write operations 
for non-privileged users, so TMPDIR must be set by non-root users if a temporary directory is 
required for that operation. An example operation that uses this directory is unsharing of patch 
files. For older-style patches which do not honor TMPDIR, SWA rewrites the shar file so that 
TMPDIR will be honored before unpacking the patch. 
RETURN VALUE 
swa step returns the following values: 
0 Success 
1 Error 
2 Warning 
EXAMPLES 
To display swa step usage information: 
swa step -? 
To display usage and list all swa step extended options: 
swa step -x -? 
To run swa step using the options specified in the file ./myconfig: 
swa step -X ./myconfig 
To inventory the local system, assuming it was last inventoried over 24 hours ago: 
swa step inventory 
To inventory a remote system using the unauthenticated swlist networking protocols, assuming 
it was last inventoried over 1 hour ago: 
swa step inventory -s remotesystem -xinventory_max_age=1 
To get the catalog of known HP software and issues, only downloading the catalog if it is older 
than 24 hours, using the default (HTTPS) protocol, and caching it in the default location: 
swa step catalog 
To get the catalog regardless of age, using the cleartext, unauthenticated FTP protocol, and 
specifying where to cache a local copy of the catalog: 
swa step catalog -x catalog_max_age=0 \ 
-x catalog_source=ftp://ftp.itrc.hp.com/export/patches/swa_catalog.xml.gz 
\ 
-x catalog=~/mycatalog.xml 
77

To analyze the local system with the QPK, SEC, and PCW analyzers, using the previously cached 
inventory and catalog (in their default locations): 
swa step analyze 
To analyze a remote system for security issues, using the previously cached inventory and catalog 
(in their default locations): 
swa step analyze -a SEC -s remotesys 
To analyze the local system for security issues, using a specified location for the catalog and 
analysis files: 
swa step analyze -a SEC -x catalog=~/mycatalog \ 
-x analysis_file=~/myanalysis.xml 
To create a default standard output "action" report based on a previous analysis (in the default 
location): 
swa step report 
To create a standard output "issue" report, and to specify the location of the comprehensive 
HTML report: 
swa step report -r issue -x html_report=~/myreport.html 
To create a standard output "detail" report only if there is at least one issue, keeping standard 
error (progress) messages to a minimum: 
swa step report -r detail -x report_when_no_issues=false \ 
-x verbosity=0 
To create a standard output "action" report with minimal standard error (progress) messages, 
but with maximal progress messages logged to the logfile: 
swa step report -x verbosity=0 -x log_verbosity=5 
To download software recommended by the previous analysis (using default locations): 
swa step download 
To use the preview mode: 
swa step download -p 
To download software that does not exist in the swcache or in the target depot: 
swa step download -t /target/depot -x allow_existing_depot=true 
To download software specified in an analysis file that is in a specified location, and put the 
results into a specified swcache location: 
swa step download -x analysis_file=~/myanalysis.xml \ 
-x swcache=/my/cache 
To create a new depot with software recommended by the previous analysis and previously 
downloaded software (using default locations): 
swa step depot -t /target/depot 
To add previously downloaded software to an existing depot from a specified swcache location: 
swa step depot -t /target/depot -x allow_existing_depot=true \ 
-x swcache=/my/cache 
To use the preview mode to see what software would be added to an existing depot: 
swa step depot -p -t /target/depot -x allow_existing_depot=true 
AUTHOR 
swa was developed by HP. 
FILES 
/etc/opt/swa/swa.conf System-wide Software Assistant configuration file. 
/etc/opt/swa/swa.conf.template Template file that documents each -x option. 
$HOME/.swa.conf Per-user Software Assistant configuration file. 
78 SWA Manpages

/var/opt/swa/swa.log Default log file location for root users. For users without 
write permissions to the default log location, a swa.log 
file is created under the directory specified by the 
user_dir extended option. 
download.contents Lists all files downloaded from HP stored within the 
swcache, a directory specified by the swcache extended 
option. 
readBeforeInstall.txt Lists special installation instructions and other 
dependencies for the patches in the depot. Located in the 
root directory of the target depot. 
ignore Lists issue IDs to be ignored (for example, they are 
completed or not applicable). Supports comments and 
regular expressions. See regexp(5). 
SEE ALSO 
swa(1M), swa-clean(1M), swa-get(1M), swa-report(1M). 
HP-UX Software Assistant System Administration Guide and HP-UX Software Assistant Release Notes 
at http://docs.hp.com. 
79

80

Glossary 
A glossary term appears in boldface when used for the first time in the text of this 
manual. Italicized terms in the following glossary refer to other terms in the glossary. 
A
analysis A comparison of the inventory and the catalog to determine the recommended actions and 
applicable patches for installation. 
analyzer An option of the swa report and swa step analyze commands used to specify the type 
of analyses to run. Available analyzers are: CRIT, PCW, PW, QPK, SEC, CHAIN, and PATCH. If no 
analyzers are specified, the QPK, SEC, and PCS analyses are performed. 
B
bulletin See security bulletin. 
bundle 
equivalency 
The state of a system where all patches in a bundle that are capable of being installed are present 
or superseded by newer components. 
C-D 
cache Inventory, catalog, analysis, and downloaded software stored by SWA on the target system. 
catalog A list of known problems with HP-UX software and their fixes, located at the HP IT Resource 
Center (ITRC). 
command line 
interface (CLI) 
Text formatted commands and options entered at an HP-UX command line prompt or executed 
by a script. 
E-H 
extended option Customizations for a major mode. They can be specified on the command line, in an option 
file, or in a configuration file. 
I-L 
inventory A list of all the software installed on a system. 
IT Resource 
Center (ITRC) 
A URL location, http://itrc.hp.com, with access to comprehensive HP software, hardware, and 
network support information and tools. 
M-O 
major mode A style of CLI of the format command <major mode>. SWA has the following major modes: 
report, get, clean, and step. 
MD5 Message Digest-5. Authentication algorithm developed by RSA. MD5 generates a 128-bit 
message digest using a 128-bit key. IPSec truncates the message digest to 96 bits. 
P
patch Software designed to update specific bundles, products, subproducts, filesets, or files on a 
system. 
Patch Assessment 
Tool 
Guided patch analysis and selection software available on the IT Resource Center (ITRC) website 
that ensures your systems meet the HP recommended patch configuration. HP-UX Software 
Assistant has all the capabilities of the ITRC Patch Assessment Tool and more. 
patch chain See supersession chain. 
81

Q
Quality Pack 
(QPK) 
A bundle of HP-UX defect-fix patches for proactive patching. QPK bundles are targeted for a 
particular version of HP-UX. The patches are tested as thoroughly as an operating system 
release. 
R
report A summary of actions to take based on the analysis. 
S-T 
security bulletin The mechanism used by Hewlett-Packard to announce the presence of potential security issues 
and lists actions recommended to resolve the issue. 
Security Patch 
Check (SPC) 
An HP-UX command that analyzes the security bulletin compliance of a system. Most of the 
functionality of SPC is superseded by HP-UX Software Assistant. Full support of SPC will end 
on 11/01/08. 
Software 
Assistant (SWA) 
A command line interface tool that consolidates and simplifies patch management and security 
bulletin management on HP-UX systems. The SWA tool is new for HP-UX releases as of January 
2007, supersedes Security Patch Check (SPC), and is the HP-recommended utility to use to 
maintain currency with HP-published security bulletins for HP-UX software. 
step One discrete action of the swa report or swa get command. SWA steps are initiated with 
the swa step command. Valid steps are: inventory, catalog, analyze, report, download, 
and depot. 
supersession 
chain 
A series of patches for a software product, beginning with the nonpatched software product 
and progressing from the oldest patch to the newest patch. Newer patches completely replace 
the older ones. In general, patch numbers increase along a patch supersession chain. 
swcache Files containing the software downloaded from the HP ITRC during the swa get or the swa 
step download command. These files are stored in the swcache directory. 
U-Z 
usercache Files created by swa report, such as the inventories of the systems or depots, the catalog, 
and the analysis file. These files are stored in the cache subdirectory. 
82 Glossary

Index 
A
Action report 
explained, 22 
overview, 19 
analyze 
depot, 7 
overview, 7 
analyze step, 8 
analyzers, 19 
(see also automatic analyzers (AUTO)) 
(see also CHAIN analyzer) 
(see also CRIT analyzer) 
(see also PATCH analyzer) 
(see also PCW analyzer) 
(see also PW analyzer) 
(see also QPK analyzer) 
(see also SEC analyzer) 
default, 19 
overview, 19 
setting in HP SIM, 33 
specifying, 16 
assessment profile 
explained, 21 
overview, 15 
automatic analyzers (AUTO) 
in the Issue report, 25 
overview, 21 
B
bundle equivalency, 22 
C
catalog 
and analysis, 19 
and the assessment profile, 21 
downloading, 7, 15 
failed to read error, 39 
location, 37 
out-of-date, 25 
catalog step, 8 
CHAIN analyzer 
in the assessment profile, 21 
in the Issue report, 25 
overview, 19 
clean major mode, 9 
commands 
configHPSIM, 12, 40 
help, 9 
mxinitconfig, 12, 40 
overview, 7 
swa, 42 
swa clean, 9, 46 
swa get, 8, 50 
swa report, 8, 57 
swa step, 8, 67 
configHPSIM, 12 
in error message, 40 
configuration file, 9 
CRIT analyzer 
in the Issue report, 25 
overview, 19 
D
dependent applications, 11 
depot 
analyzing, 7 
and the Action report, 22 
creating, 16 
installing, 17 
depot step, 8 
Detail report 
explained, 26 
overview, 19 
documentation, 5 
editions, 6 
release notes, 7 
download patches 
overview, 7 
download step, 8 
E
errors, common, 39 
extended options, 9 
F
files 
.swa.conf, 9, 37 
analysis, 8, 37 
caches, 8, 9, 16 
catalog, 7, 8, 15, 37 
comprehensive report, 8 
configHPSIM, 37 
configuration, 9, 37 
download contents, 37 
downloading, 15, 16 
example configuration, 37 
HPSIM configuration, 37 
HPSIM directory, 37 
HPSIM root directory, 37 
ignore, 17, 26, 37 
inventory, 8, 37 
list of useful files, 37 
log, 37 
manpages directory, 37 
options, 9 
readBeforeInstall.txt, 17, 37 
removing, 46 
report, 19, 37 
swa.conf, 9, 39 
swa.conf.template, 9 
swa.log, 39 
83

swa_analysis.xml, 8 
swa_catalog.xml, 8, 39 
swa_report.html, 8 
swcache, 37 
G
get major mode, 8 
glossary, 81 
H
help, 9 
HP SIM 
client directory, 37 
configHPSIM command, 12 
errors related to SWA, 40 
installing SWA, 12 
job id, 35 
mxinitconfig command, 12 
performance issues, 40 
root directory, 37 
setting analyzers, 33 
HP-UX Software Assistant (see SWA) 
HTML report 
explained, 20 
overview, 19 
I
ignore file 
adding actions, 17 
issue id, 26 
installing SWA, 11 
for HP SIM, 12 
inventory file 
and analysis, 19 
and the assessment profile, 21 
forcing an update, 17 
location, 37 
inventory step, 8 
issue ID, 26 
Issue report 
explained, 23 
overview, 19 
J
Java requirements, 11 
L
log file 
alternative, 37 
default, 37 
M
major modes, 8 
clean, 9 
get, 8 
report, 8 
step, 8 
manpages, 5 
directory, 37 
swa, 42 
swa clean, 46 
swa get, 50 
swa report, 57 
swa step, 67 
manual actions 
in the Action report, 22 
in the ignore file, 17 
overview, 16 
MD5, 7, 17 
media, 11 
mxinitconfig, 12 
in error message, 40 
O
options file, 9 
overview, 7 
P
PATCH analyzer 
in the assessment profile, 21 
in the Issue report, 25 
overview, 19 
PCW analyzer 
overview, 19 
publication history, 6 
PW analyzer 
in the Issue report, 25 
overview, 19 
Q
QPK analyzer 
in the Issue report, 23 
overview, 19 
QPK bundles 
in the Action report, 22 
with warnings, 23 
R
readBeforeInstall.txt file, 17, 37 
references, 5 
report major mode, 8 
report step, 8 
reports 
Action, 22 
Detail, 26 
detailed overview, 19 
HTML, 20 
Issue, 23 
overview, 7 
requirements, 11 
S
SEC analyzer 
in the Issue report, 24 
overview, 19 
software, 11 
step major mode, 8 
steps 
84 Index

analyze, 8 
catalog, 8 
depot, 8 
download, 8 
inventory, 8 
report, 8 
using the step major mode, 8 
SWA 
command structure, 7 
installing, 11 
latest version, 7 
major modes, 8 
media, 11 
overview, 7 
software, 11 
troubleshooting, 39 
uninstalling, 13 
swcache 
default directory, 37 
downloading software, 16 
freeing disk space, 9 
write access, 8 
T
typographic conventions, 5 
U
uninstalling SWA, 13 
usercache 
freeing disk space, 9 
W websites 
HP IT Resource Center, 6 
SWA web page, 12 
technical documentation, 6 
85