Go to main content

Automatically Installing Oracle® Solaris 11.4 Systems

Exit Print View

Updated: July 2019
 
 

Listing Security Information Related to AI

To display security-related information, you use the installadm list command combined with available options. The following examples show the types of information you can obtain.

For displaying other AI information that is not related to security, see Showing Information About Install Services.

Displaying AI Server Security Information

To display server security information, use the –v and –s options. In addition to what is typically displayed in previous Oracle Solaris versions, the output includes additional HMAC information (displayed in bold in the example):

$ installadm list -sv
AI Server Parameter        Value
-------------------        -----
Hostname ................. hostname.example.com
Architecture ............. sparc
Active Networks .......... 192.0.2.0/24
                           198.51.100.0/24
Http Port ................ 5555
Secure Port .............. 5556
Image Path Base Dir ...... /export/auto_install
Multi-Homed? ............. yes
Managing DHCP? ........... yes
DHCP IP Range ............ 198.51.100.0/24 - 203.0.113.0/24
Boot Server .............. 192.0.2.0/24
Web UI Enabled? .......... yes
Wizard Saves to Server? .. no
Security Enabled? ........ no
Security Key? ............ yes
Security Certificate:
              Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=hostname.example.com
              Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
              Source : Server Certificate
              Valid from:  Dec 12 19:48:00 2016 GMT
                      to:  Dec 10 19:48:00 2026 GMT
              Validates?: yes
CA Certificates:
     f9d73b41 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
              Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
              Source : Server CA Certificate
              Valid from:  Dec  8 10:31:00 2016 GMT
                      to:  Dec  6 10:31:00 2026 GMT
     d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
              Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
              Source : Server CA Certificate
              Valid from:  Dec  8 10:31:00 2016 GMT
                      to:  Dec  6 10:31:00 2026 GMT
Def Client Sec Key? ........... yes
Def Client Sec Cert:
              Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Client default
              Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
              Source : Default Client Certificate
              Valid from:  Feb  2 16:47:00 2017 GMT
                      to:  Jan 31 16:47:00 2027 GMT
              Validates?: yes
Def Client CA Certs ........... none
Def Client FW Encr Key ........
   31c88df08c958972a4b0996910539a39
Def Client FW HMAC-SHA1 Key ... (inactive)
   3789ec373712f89879c575643415b386564b0e51
Def Client FW HMAC-SHA256 Key . (active)
   ae956c3a41d02083ca40f6125fce994d5df4a3e5077f9996d6118dce5ac74fad
HMAC Policy ................... HMAC-SHA256
Number of Services ............ 25
Number of Clients ............. 3
Number of Manifests ........... 26
Number of Profiles ............ 3
Telemetry Enabled? ............ no
Telemetry Success:
     none
Telemetry Failure:
     all_logs
Telemetry Frequency ........... 120 second(s)
Telemetry Files Retention ..... 1 year(s)
Telemetry Statistics Retention  1 year(s)

Displaying Client Security Information

To display client configuration information particularly with reference to security, use the –v and –e options. The output is similar to the server security information except for the HMAC policy, which is set only on the AI server.

$ installadm list -ve abcdefabcdef 
Service Name Client Address    Arch  Secure Custom Args Custom Grub
------------ --------------    ----  ------ ----------- -----------
case_02      AB:CD:EF:AB:CD:EF sparc no     no          no

...

  Security Key? ..... yes
  Security Cert:
       Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=CID 01ABCDEFABCDEF
       Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
       Source : Client Certificate
       Valid from:  Mar 24 10:24:00 2017 GMT
               to:  Mar 22 10:24:00 2027 GMT
       Validates?: yes
  CA Certificates:
    d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
       Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
       Source : Default CA Certificate
       Valid from:  Dec  8 10:31:00 2016 GMT
               to:  Dec  6 10:31:00 2026 GMT
  FW Encr Key (AES) .
   f444b7415cfbeadc3121e6dc42c77d3d
  FW HMAC-SHA1 Key .. (inactive)
   368954d00efa469b223bc88aaa62ea994292727e
  FW HMAC-SHA256 Key  (active)
   b795895dac7a36d4ba6e1084e906aa24fda9c973e7fb4ee1c55199ca50825d3f
  Boot Args ......... none

Displaying Other Client Security Information

The installadm export command lists information about TLS and X.509 keys that have been configured on a client system.

The –C option displays the client's x.509 TLS certificate.

$ installadm export -e ab:cd:ef:ab:cd:ef -C
------ certificate: client_AB:CD:EF:AB:CD:EF_cert_de22916b ------
-----BEGIN CERTIFICATE-----
MIICFDCCAX+gAwIBAgIBGTALBgkqhkiG9w0BAQswUDELMAkGA1UEBhMCVVMxDzAN
 ....
UiZDA6GOdvE=
-----END CERTIFICATE-----
  

The –K option displays the client's X.509 private key:

$ installadm export -e ab:cd:ef:ab:cd:ef -K
--------------- key: client_AB:CD:EF:AB:CD:EF_key ---------------     
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDCCJbC5Bd0uMQ0AOk4lLlQqWiQwqkx9lpIhHl31tF1/WxHi74A
 ...   
SYoBeKAOPSo7Evund+bHAROl0H4QnbSJgl1UDuZr3T3h     
-----END RSA PRIVATE KEY-----