You can secure automated installations with the Transport Layer Security (TLS) protocol. TLS uses private certificates and key pairs as well as the Certificate Authority (CA) certificate for generating and signing certificates. SPARC WAN boot clients also require firmware hash (HMAC) digest and encryption keys which secure the downloading of the initial network boot files.
The current Oracle Solaris release supports HMAC-SHA256 protocols for SPARC WAN boot clients, in addition to the HMAC-SHA1 protocols in previous releases.
Security for automated installations is implemented in the following ways:
Server and client authentication.
Access control access to automated installations and server data.
Client data protection either for all clients together or separately for specific clients.
Secure access to IPS package repositories as well as user specified directories.
In addition, you can also use AI to provision Kerberos in the clients. See How to Configure Kerberos Clients Using AI.
To secure automated installations, you use installadm subcommands and security related options. The subcommand corresponds to the component or entity you are securing. The subcommand to use also depends on whether you are setting security while creating the entity or you are configuring an existing entity.
set-server for the AI server
create-service or set-service for install services
create-client or set-client for both SPARC and x86 clients
You can generate credentials either automatically or by providing user-supplied credentials.
To generate credentials automatically, use the –g option. For example:
$ installadm set-server -g
In this example, the –g option generates or regenerates HTTPS credentials as well as firmware keys. See Securing Automated Installations for other examples of how to generate credentials.
To provide the credentials yourself, use the following options:
–A specifies the path to the PEM-encoded X.509 Certificate Authority (CA) certificate file.
CA certificates must have unique subject lines. You specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use separate –A options.
–C specifies the path to a PEM-encoded X.509 certificate file.
–K specifies the path to a PEM-encoded X.509 private key file. This key file must have any passphrase removed.
In the following example, all 3 certificate files are created at one time.
$ installadm set-server -C server.crt -K server.key -A cacert.pem
The certificate authority (CA) can be created separately from the certificate and key files. However, the certificate authority must be created first before you create the certificate and key files. However, the certificate and key files must be created together.