Go to main content

Automatically Installing Oracle® Solaris 11.4 Systems

Exit Print View

Updated: July 2019
 
 

Securing AI on the AI Server

On the AI server, you can create credentials as well as set the HMAC policy for WAN boot clients.

Setting the HMAC Policy

Configuring the HMAC policy sets the server-wide policy for HMAC signatures. After you have set the policy, the HMAC type becomes the default signature for new custom clients or services. You do not need to specify the policy again unless you set an exception to the policy, or if you are performing upgrades.

Setting the policy does not affect existing SPARC clients and services until you specifically set their firmware keys. For information about upgrading security on SPARC clients, see Upgrading Security Credentials.

This example sets the policy to use HMAC-SHA256 as the default signature for future clients and services:

$ installadm set-server --hmac-policy hmac-sha256
Changed Server.

Note -  You can also use the shorter form of the option:
$ installadm set-server -F hmac-sha256

Setting Credentials for the AI Server

Use the following command:

$ installadm set-server [-D] --hmac-type signature-type [-g| [-H]]

The –D option is only used with the set-server subcommand. For an explanation of the options, see Securing Automated Installations.

If you use only the –hmac-type signature-type option, the command sets the active HMAC signature type for the server.

The following example automatically creates HTTP certificates. Because the –hmac-type is not specified, then for SPARC clients, HMAC keys are generated based on the default HMAC-SHA1 protocol.

$ installadm set-server -g
The root CA certificate has been generated.
The CA signing certificate request has been generated.
The signing CA certificate has been generated.
A new certificate key has been generated.
A new certificate has been generated.
Generated client encryption (AES) firmware key:
   8d210964e95f2a333c5e749790633273
Generating new hashing key (HMAC)...
Generated client hashing (HMAC SHA-1) firmware key:
   4088861239fa3f3bed22f8eb885bfa476952fab4
Changed Server

To generate credentials as well as SHA256 keys, you would type the following command instead:

$ installadm set-server --hmac-type hmac-sha256 -g

Note -  To manually provide your own credentials, see Generating Credentials.