Client security provides the following benefits:
The AI server can verify the identity of the clients.
Data is encrypted over the network.
For clients with custom credentials, any published files specific to a client are not readable by any other client.
Only authenticated clients can access the user-specified secure directory described in Configuring the AI Server's Web Server Files Directory.
To configure security for a specific client, use the following command:
$ installadm set-client -e mac-address --hmac-type signature-type [-g| [-H]]
For an explanation of the other options, see Securing Automated Installations.
This example specifies user-supplied credentials. Firmware keys are generated if they do not already exist and are displayed on screen.
$ installadm set-client -e 02:00:00:00:00:00 -C client.crt -K client.key -A cacert.pem
For an explanation of the options, see Securing AI on the AI Server.Example 23 Setting Credentials for Clients of a Specific Install Service
Non-custom clients use the credentials of their associated AI service. See the following example for the solaris11_4-sparc service.
$ installadm set-service -g -n solaris11_4-sparc Generating credentials for service solaris11_4-sparc... A new certificate key has been generated. A new certificate has been generated. Generated client encryption (AES) firmware key: 34bc980ccc8dfee478f89b5acbdf51b4 Generated client hashing (HMAC SHA-1) firmware key: b8a9f0b3472e8c3b29443daf7c9d448faad14fee
Clients without credentials that are assigned to the service share the service's credentials. Consequently, these clients can view each other's installation data.Example 24 Setting Default Client Credentials
To provide a default set of credentials for any client, you configure the credentials on the AI server and use the –D option.
$ installadm set-server -D -g Generating default client credentials... A new certificate key has been generated. A new certificate has been generated. Generated client encryption (AES) firmware key: 7cdbda5b8fc4b10ffbd29fa19d13af77 Generated client hashing (HMAC SHA-1) firmware key: 14effe2c515da4940ef1db165791e92790163004
After default client credentials are assigned, all clients would perform client and server authentication, and firmware keys are required for all the clients.
Because multiple clients share the same default credentials, they can view each other's installation data.