Client AI security provides the following benefits:
The AI server can verify the identity of the AI clients.
Data is encrypted over the network.
For clients with custom credentials, any published files specific to a client are not readable by any other client.
Only authenticated clients can access the user-specified secure directory described in Configuring the Web Server User Files Directory
You can generate or specify credentials for a particular client, for clients of a particular install service, or for any client that does not already have credentials. OBP keys that are generated are for bidirectional (client and server) authentication. If you assign security credentials to a SPARC client, you must provide the OBP keys when you boot the client for AI installation. See Installing a SPARC Client Using Secure Download.
This example specifies user-supplied credentials. If the client is a SPARC system, OBP keys are generated if they do not already exist. If OBP keys are generated, the OBP commands to set these keys are displayed.
# installadm set-client -e 02:00:00:00:00:00 -C client.crt -K client.key -A cacert.pem
See the comments about using the –C, –K, and –A options in Configuring Security Credentials. If the CA certificate is not specified, the CA certificate used to generate these client credentials must have been previously assigned.
See OBP Security Keys for SPARC Clients for information about using the –E and –H options.Example 8-26 Credentials for Clients of a Specific Install Service
This example provides credentials for any client that is assigned to the solaris11_2-sparc install service and that does not already have credentials assigned.
# installadm set-service -g -n solaris11_2-sparc Generating credentials for service solaris11_2-sparc... A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... To set the OBP encryption key, enter this OBP command: set-security-key wanboot-aes 34bc980ccc8dfee478f89b5acbdf51b4 Generating new hashing key (HMAC)... To set the OBP hashing (HMAC) key, enter this OBP command: set-security-key wanboot-hmac-sha1 b8a9f0b3472e8c3b29443daf7c9d448faad14fee
Because this install service is a SPARC install service, OBP keys are also generated, and the OBP commands to set these keys are displayed.
Clients that are subsequently assigned to the solaris11_2-sparc install service also use these credentials if those clients are not assigned credentials by specifying their MAC address.
This option is useful when you want a uniform set of applications across multiple clients. However, all clients of this install service that are not assigned credentials by specifying their MAC addresses have identical credentials and can view each other's installation data.
See the comments about using the –C, –K, and –A options in Configuring Security Credentials.
See OBP Security Keys for SPARC Clients for information about using the –E and –H options.Example 8-27 Default Client Credentials
This example provides a default set of credentials for any client with no credentials assigned.
# installadm set-server -D -g Generating default client credentials... A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... To set the OBP encryption key, enter this OBP command: set-security-key wanboot-aes 7cdbda5b8fc4b10ffbd29fa19d13af77 Generating new hashing key (HMAC)... To set the OBP hashing (HMAC) key, enter this OBP command: set-security-key wanboot-hmac-sha1 14effe2c515da4940ef1db165791e92790163004
Because some clients might be SPARC clients, OBP keys are also generated, and the OBP commands to set these keys are displayed.
Once default client credentials are assigned, all clients will be expected to do client and server authentication, and firmware keys will be required for all SPARC clients of the AI server. Also, because multiple clients will have identical credentials, they will be able to view each other's installation data.
See the comments about using the –C, –K, and –A options in Configuring Security Credentials.
See OBP Security Keys for SPARC Clients for information about using the –E and –H options.
For SPARC clients to benefit from increased security features, you must set OBP security keys when you boot the client for AI installation.
A hashing (HMAC) key and an encryption key are automatically generated and displayed if they do not already exist when you use the installadm command with set-server, set-service, or set-client subcommands to generate or specify TLS credentials. These firmware keys are not automatically regenerated when the same command is repeated.
You can use the –E and –H options to regenerate the OBP keys. Do not specifying the –E or –H option before OBP keys exist. The encryption key or HMAC that already exists is invalidated and replaced. Use the –E option to regenerate the encryption key. Use the –H option to regenerate the hashing key. You can specify both the –E and –H options, just the –E option, or just the –H option. When you run the command, the OBP keys that already exist are invalidated and replaced with the newly generated values. The OBP commands to set these keys are displayed.
To display the OBP command to set the OBP security keys at a later time, use the –v option with the list subcommand, as in the following example:
# installadm list -v -e mac-addr
This command shows the correct OBP keys for this client, whether the TLS credentials were specified using the client MAC address using the install service name, or are default client credentials. The output from the list subcommand shows whether the OBP keys are defined for this particular client, for a specified install service, or for the default client, as shown in Example 8–41.
This section describes the options you can use to disable security requirements without deleting the security configuration, and then re-enable security requirements using the previously configured server and client authentication settings.
Security is enabled by default. While security is disabled, no credentials are issued to clients and no credentials are required from clients. While security is disabled, no HTTPS network protection is provided for any of the AI files served to an AI client. User-specified secure files served by the AI web server (as described in Configuring the Web Server User Files Directory) are not accessible while security is disabled.
While security is disabled, you can continue to configure security. Any changes are effective when security is re-enabled.
Use the following command to disable security enforcement server-wide:
# installadm set-server -S Refreshing web server. Automated Installer security has been disabled.
Use caution when disabling security for systems that already have install services configured. The secured install service data will not require authentication to access, and non-authenticated clients will be able to install Oracle Solaris through AI.
Use the following command to re-enable security enforcement after security enforcement has been disabled with set-security --disable:
# installadm set-security -s Configuring web server security. Refreshing web server. Warning: client 02:00:00:00:00:00 of service solaris11_2-i386 is required to have credentials but has none. Automated Installer security has been enabled.
Use the installadm command to delete security credentials. The set-server, set-service, and set-client subcommands can be used to delete security credentials.
Security credentials are also removed when you run the delete-client or delete-service subcommands. The delete-client command removes all client-specific credentials. The delete-service subcommand removes all service-specific credentials as well as any client-specific credentials for all clients of that service and any alias services.
Caution - Deleted credentials cannot be recovered, and the TLS security protocol cannot function without server credentials. AI security will be disabled prior to deleting the server credentials.Example 8-28 Deleting Credentials for One Client
This example deletes the private key and certificate, any CA certificate, and any OBP keys that were assigned to the client by using a MAC address. If OBP keys are set in the client firmware, unset them as described in Deleting the Hash Key and Encryption Key.
# installadm set-client -e mac-addr -xExample 8-29 Deleting a CA Certificate
This example deletes the specified CA certificate for all clients that use that CA certificate. The value of the –hash option argument is the hash value of the certificate's X.509 subject, as displayed by the list subcommand and shown in Example 8–41. Any clients that are using the specified CA certificate are counted and displayed along with a prompt to confirm you want to continue.
$ installadm set-client -x --hash b99588cf Identifier hash: b99588cf Subject: /C=CZ/O=Oracle Czech s.r.o./OU=install/CN=genca Issuer: /C=CZ/O=Oracle Czech s.r.o./OU=install/CN=genca Valid from Apr 27 13:12:27 2012 GMT to Apr 27 13:12:27 2015 GMT This CA has the following uses: WARNING: this is the server CA certificate Deleting this Certificate Authority certificate can prevent credentials from validating. Do you want to delete this Certificate Authority certificate [y|N]: y Deleting all references to Certificate Authority with hash value b99588cf
Caution -In this example, all instances of this CA certificate are deleted for all clients that use it; the affected clients can no longer be authenticated. Once the specified CA certificate is used to generate certificates, the installadm command can no longer generate certificates.Example 8-30 Deleting Server Security Credentials
This example deletes the server's private key and certificate, any CA certificate, and the OBP keys for server authentication only:
# installadm set-server -x