Go to main content

Automatically Installing Oracle® Solaris 11.4 Systems

Exit Print View

Updated: July 2019
 
 

SPARC: Upgrading Security Credentials

Upgrading SPARC clients using SHA1 protocols to use the preferred SHA256 protocol can be completed in phases. When you set the policy on the AI server to use SHA256, keys that would be generated for future clients would be based on that protocol. Likewise, when you set the HMAC type of an install service to SHA256, this type determines the keys that you subsequently generate for future clients to use. You would then set these keys on those SPARC clients from the OBP command prompt.

However, existing SPARC clients that use SHA1 keys continue to use these keys until you reset them to use the new protocol.

When you a generate a new SHA256 hash key, the installadm functionality stores and maintains the SHA1 and SHA256 keys internally. Depending on the hmac-type, one key is rendered active while the other is deactivated. You can display the information about both active and inactive keys with the installadm list command.

SPARC: How to Upgrade a Client's HMAC Key Based on its Service

This task shows you how to upgrade SPARC clients that use SHA1 keys to switch to its service's SHA256 keys. It assumes that no SHA256 keys have yet been set up on the install service.

Before You Begin

Ensure that your role has the appropriate rights profiles to perform this procedure. See Using Rights Profiles to Install Oracle Solaris.

  1. If necessary, check the clients that use the SPARC service.
    $ installadm list -c
    Service Name      Client Address    Arch  Secure Custom Args Custom Grub
    ------------      --------------    ----  ------ ----------- -----------
    solaris11_4-sparc A0:B1:C2:D3:E4:F5 sparc yes     no          no

    In this example, the system with the MAC address A0:B1:C2:D3:E4:F5 uses the solaris11_4-sparc service.

  2. (Optional) Check the current HMAC key that the client uses.

    For example:

    $ installadm list -v -e A0:B1:C2:D3:E4:F5
    Service Name         Client Address    Arch  Secure Custom Args Custom Grub
    ------------         --------------    ----  ------ ----------- -----------
    solaris11_4-sparc    A0:B1:C2:D3:E4:F5 sparc yes    no          no
    
    ...
    
       FW Encr Key (AES) . 23780bc444636f124ba3ff61bdac32d1
       FW HMAC Key (SHA1) 1093562559ec45a5bb5235b27c1d0545ff259d63
       Boot Args ......... none
    
  3. On the AI server, create SHA256 keys.

    Perform one or both substeps depending on the security configuration you want to implement.

    1. Create SHA256 keys on the service.
      $ installadm set-service -n solaris11_4-sparc --hmac-type sha256
      Assigning credentials for service solaris11_4-sparc...
      Generating new hashing key (HMAC)...
      Generated service hashing (HMAC SHA-256) firmware key
         b8a9f0b3472e8c3b29443daf7c9d448faad14feeb795895dac7a36d4ba6e1084
      
    2. Create SHA256 keys on a client.
      $ installadm set-client -g -e aa:bb:cc:aa:bb:cc -hmac-type sha256
      Assigning credentials for client AA:BB:CC:AA:BB:CC...
      
      Generating new hashing key (HMAC)...
      Generated client hashing (HMAC SHA-256) firmware key:
         b795895dac7a36d4ba6e1084e906aa24fda9c973e7fb4ee1c55199ca50825d3f
      Changed Client A0:B1:C2:D3:E4:F5

    Both steps perform the following actions:

    • Create new SHA256 keys.

    • Set the new keys as the active keys.

  4. Access the client system and set the new key on the its firmware.

    Based on the previous step, you would do one or both of the following steps:

    1. Based on Step 3.a, you would type the following on the client A0:B1:C2:D3:E4:F5:
      OK set-security-key wanboot-hmac-256 \
         b8a9f0b3472e8c3b29443daf7c9d448faad14feeb795895dac7a36d4ba6e1084
    2. Based on Step 3.b, you would type the following on the client AA:BB:CC:AA:BB:CC:
      OK set-security-key wanboot-hmac-256 \
         b795895dac7a36d4ba6e1084e906aa24fda9c973e7fb4ee1c55199ca50825d3f