Installing Oracle® Solaris 11.2 Systems

Exit Print View

Updated: July 2014
 
 

How to Configure Security for Automated Installations

  1. Become an administrator.

    For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.2 Administration: Security Services.

  2. Generate security credentials for the AI server.

    The following command automatically generates an X.509 root CA certificate and signing CA certificate, a server certificate and private key, and OBP keys for AI server authentication. The CA certificate and the OBP keys are generated only if they do not already exist. If OBP keys are generated, the OBP commands to set these keys are displayed.

    # installadm set-server -g
    The root CA certificate has been generated.
    The CA signing certificate request has been generated.
    The signing CA certificate has been generated.
    A new certificate key has been generated.
    A new certificate has been generated.
    Generating new encryption key...
    To set the OBP encryption key for server authentication only, enter
        this OBP command:
      set-security-key wanboot-aes 8d210964e95f2a333c5e749790633273
    Generating new hashing key (HMAC)...
    To set the OBP hashing (HMAC) key for server authentication only,
        enter this OBP command:
      set-security-key wanboot-hmac-sha1 4088861239fa3f3bed22f8eb885bfa476952fab4
    Configuring web server security.
    Changed Server

    For more information about configuring AI server credentials, see Configuring AI Server Credentials.

  3. (Optional) Set the install service security policy.

    The following example specifies a security setting that requires client authentication to use an install service. To protect all clients and all data associated with a specific install service, use the require-client-auth install service security setting to require all clients to be secured with both server and client authentication. In this example, a client must have X.509 credentials to access any svcname install service data.

    # installadm set-service -p require-client-auth -n svcname

    For more information about configuring install service security policies, see Configuring Secure Install Services.

  4. Generate credentials for an AI client.

    The following example automatically generates a private X.509 certificate and key pair and an X.509 CA certificate for authentication of the specified client, where 02:00:00:00:00:00 is the MAC address of the client. Client credentials that are assigned by specifying the MAC address are unique for each client. The CA certificate is generated only if it does not already exist. If the client is a SPARC system, OBP keys are also generated if they do not already exist, and the OBP commands to set these keys are displayed.

    # installadm set-client -e 02:00:00:00:00:00 -g
    Generating credentials for client 02:00:00:00:00:00...
    A new certificate key has been generated.
    A new certificate has been generated.
    Generating new encryption key...
    To set the OBP encryption key, enter this OBP command:
      set-security-key wanboot-aes 030fd11c98afb3e434576e886a094c1c
    Generating new hashing key (HMAC)...
    To set the OBP hashing (HMAC) key, enter this OBP command:
      set-security-key wanboot-hmac-sha1 e729a742ae4ba977254a2cf89c2060491e7d86eb
    Changed Client: '02:00:00:00:00:00'

    For more information about configuring client credentials, see Configuring Client Credentials.

  5. Set OBP keys for SPARC clients.

    For SPARC clients that have security credentials assigned, you must set OBP security keys (hashing key and encryption key) when you boot the client for AI installation. The following example sets the OBP AES encryption key on a SPARC client console.

    ok set-security-key wanboot-aes 030fd11c98afb3e434576e886a094c1c

    The following example sets the OBP hashing (HMAC) key on a SPARC client console.

    ok set-security-key wanboot-hmac-sha1 e729a742ae4ba977254a2cf89c2060491e7d86eb

    See Installing a SPARC Client Using Secure Download for more information and examples.

  6. Modify the AI manifest to install from a secure IPS repository.

    If an AI manifest specifies a publisher that has a secure origin, specify the key and certificates in the credentials sub-element of the publisher element. See the Software section of the ai_manifest (4) man page for details. You can specify an SSL key and certificate in attributes of the image element, but this key and certificate apply only to the first publisher specified in the manifest. If keys and certificates are specified both in an image element and in a credentials element, the credentials specified in the credentials element are used. Consider locating key and certificate files in a user-specified directory on the AI web server. See Configuring the Web Server User Files Directory for information.