On the AI server, you can create credentials as well as set the HMAC policy for WAN boot clients.
Configuring the HMAC policy sets the server-wide policy for HMAC signatures. After you have set the policy, the HMAC type becomes the default signature for new custom clients or services. You do not need to specify the policy again unless you set an exception to the policy, or if you are performing upgrades.
Setting the policy does not affect existing SPARC clients and services until you specifically set their firmware keys. For information about upgrading security on SPARC clients, see Upgrading Security Credentials.
This example sets the policy to use HMAC-SHA256 as the default signature for future clients and services:
$ installadm set-server --hmac-policy hmac-sha256 Changed Server.
$ installadm set-server -F hmac-sha256
Use the following command:
$ installadm set-server [-D] --hmac-type signature-type [-g| [-H]]
The –D option is only used with the set-server subcommand. For an explanation of the options, see Securing Automated Installations.
If you use only the –hmac-type signature-type option, the command sets the active HMAC signature type for the server.
The following example automatically creates HTTP certificates. Because the –hmac-type is not specified, then for SPARC clients, HMAC keys are generated based on the default HMAC-SHA1 protocol.
$ installadm set-server -g The root CA certificate has been generated. The CA signing certificate request has been generated. The signing CA certificate has been generated. A new certificate key has been generated. A new certificate has been generated. Generated client encryption (AES) firmware key: 8d210964e95f2a333c5e749790633273 Generating new hashing key (HMAC)... Generated client hashing (HMAC SHA-1) firmware key: 4088861239fa3f3bed22f8eb885bfa476952fab4 Changed Server
To generate credentials as well as SHA256 keys, you would type the following command instead:
$ installadm set-server --hmac-type hmac-sha256 -g