Go to main content

Automatically Installing Oracle® Solaris 11.4 Systems

Exit Print View

Updated: July 2019
 
 

Configuring Install Service Credentials

For an AI service, in addition to generating security credentials, you can also optionally set a service policy to determine how the service is accessed.

Setting Credentials for an AI Service

To generate security credentials for an install service, use the following command:

$ installadm set-service -n service-name --hmac-type signature-type [-g| [-H]]

For an explanation of the different options, see Securing Automated Installations.


Note -  To provide your own credentials instead, see Generating Credentials.

Setting a Service Policy

The –p option sets an authentication policy for a service. Each install service can have one set security policy. Select from the following choices:

require-client-auth

Confirms the identity of the client. Requires client and server authentication for all clients of the specified service. This option also requires encryption.

Requires all clients of the service to authenticate with client authentication. All clients of the specified service must be assigned credentials, and all SPARC clients of this service must have their firmware keys generated. Any clients of the service that are not configured for client authentication will not be able to use this install service.

require-server-auth

Confirms the identify of the AI server. Requires all clients of the specified service to perform server authentication. This option also requires encryption.

Requires at least AI server authentication for access to the specified install service. Client authentication is optional, but you must provide any assigned or attributed client credentials. You must also define firmware keys for all clients of this service.

optional

Allows both authenticated and unauthenticated clients to access the install service. The option also requires encryption if the AI server has credentials. This is the default behavior.

You must provide any assigned client credentials. clients without assigned or attributed credentials do not use firmware keys or server authentication. Server authentication is provided only for clients configured for client authentication.

encr-only

For x86 clients only: Enables SSL/TLS end-to-end encryption without requiring authentication. Without authentication, the identities of the client and AI server are not guaranteed. Data in transit is not readable over the network by third parties.

disable

Disables all security for all clients of the specified service.

Clients of this service are not authenticated. No credentials are issued. Clients of this service cannot access the webserver_secure_files_dir directory described in Configuring the AI Server's Web Server Files Directory. Use this setting with caution: Any install service files that were previously protected by authentication are no longer protected. Client data is not secured from unwanted access. To re-enable authentication, specify the set-service subcommand again with a different security policy value.

The following additional examples show how you can set security for the install service.

Example 20  Requiring AI Server Authentication During Installation

This example specifies a security setting that requires server authentication to use an install service. Use the require-server-auth install service security setting to require clients of the specified service to at least authenticate the AI server.

$ installadm set-service -p require-server-auth -n install-service
Example 21  x86: Requiring Encryption During Installation

This example specifies a security setting that uses encryption but does not require authentication. On x86 clients, to protect data transfers for a specific install service but not require client or server authentication, use the encr-only security setting. You still need a server certificate. The data will be protected from snooping over the network, but the AI server will provide the data to any client that issues the proper request to the server.

$ installadm set-service -p encr-only -n install-service