Go to main content

Automatically Installing Oracle® Solaris 11.4 Systems

Exit Print View

Updated: July 2019
 
 

Overview of Securing Automated Installations

You can secure automated installations with the Transport Layer Security (TLS) protocol. TLS uses private certificates and key pairs as well as the Certificate Authority (CA) certificate for generating and signing certificates. SPARC WAN boot clients also require firmware hash (HMAC) digest and encryption keys which secure the downloading of the initial network boot files.

The current Oracle Solaris release supports HMAC-SHA256 protocols for SPARC WAN boot clients, in addition to the HMAC-SHA1 protocols in previous releases.


Note -  With x86 clients that use PXEBoot, the initial network boot phase is not secured. For these clients, you implement security by creating an install service from a custom image that has security credentials. You would set the same credentials for the service as the image's. For information about creating custom secured AI images, see Chapter 3, Building an Image in Creating a Custom Oracle Solaris 11.4 Image.

    Security for automated installations is implemented in the following ways:

  • Server and client authentication.

  • Access control access to automated installations and server data.

  • Client data protection either for all clients together or separately for specific clients.

  • Data encryption.

  • Secure access to IPS package repositories as well as user specified directories.

In addition, you can also use AI to provision Kerberos in the clients. See How to Configure Kerberos Clients Using AI.

Commands for Securing Automated Installation

To secure automated installations, you use installadm subcommands and security related options. The subcommand corresponds to the component or entity you are securing. The subcommand to use also depends on whether you are setting security while creating the entity or you are configuring an existing entity.

  • set-server for the AI server

  • create-service or set-service for install services

  • create-client or set-client for both SPARC and x86 clients

Generating Credentials

You can generate credentials either automatically or by providing user-supplied credentials.

  • To generate credentials automatically, use the –g option. For example:

    $ installadm set-server -g

    In this example, the –g option generates or regenerates HTTPS credentials as well as firmware keys. See Securing Automated Installations for other examples of how to generate credentials.

  • To provide the credentials yourself, use the following options:

    • –A specifies the path to the PEM-encoded X.509 Certificate Authority (CA) certificate file.

      CA certificates must have unique subject lines. You specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use separate –A options.

    • –C specifies the path to a PEM-encoded X.509 certificate file.

    • –K specifies the path to a PEM-encoded X.509 private key file. This key file must have any passphrase removed.

    In the following example, all 3 certificate files are created at one time.

    $ installadm set-server -C server.crt -K server.key -A cacert.pem

    The certificate authority (CA) can be created separately from the certificate and key files. However, the certificate authority must be created first before you create the certificate and key files. However, the certificate and key files must be created together.