Go to main content

Automatically Installing Oracle® Solaris 11.4 Systems

Exit Print View

Updated: July 2019
 
 

Other Security Related Tasks

These section describes other tasks specific to security for automated installations.

Ensure that your role has the appropriate rights profiles to perform this procedure. See Using Rights Profiles to Install Oracle Solaris.

Modifying the AI Manifest to Install From a Secure IPS Repository

If an AI manifest specifies a publisher that has a secure origin, specify the key and certificates in the credentials sub-element of the publisher element. See the Software section of the ai_manifest(5) man page for details. You can specify an SSL key and certificate in attributes of the image element, but this key and certificate apply only to the first publisher specified in the manifest. If keys and certificates are specified both in an image element and in a credentials element, the credentials specified in the credentials element are used. Consider locating key and certificate files in a user-specified directory on the AI web server. See Configuring the AI Server's Web Server Files Directory for information.

Disabling and Enabling Security

This section describes the options you can use to disable security requirements without deleting the security configuration, and then re-enable security requirements using the previously configured server and client authentication settings.

Security is enabled by default. While security is disabled, no credentials are issued to clients and no credentials are required from clients. While security is disabled, no HTTPS network protection is provided for any of the AI files served to a client. User-specified secure files served by the AI web server (as described in Configuring the AI Server's Web Server Files Directory) are not accessible while security is disabled.

While security is disabled, you can continue to configure security. Any changes are effective when security is re-enabled.

Use the following command to disable security enforcement server-wide:

$ installadm set-server -S
Refreshing web server.
Automated Installer security has been disabled.

Use caution when disabling security for systems that already have install services configured. The secured install service data will not require authentication to access, and non-authenticated clients will be able to install Oracle Solaris through AI.

Use the following command to re-enable security enforcement after security enforcement has been disabled with set-security --disable:

$ installadm set-security -s
Configuring web server security.
Refreshing web server.
Warning: client 02:00:00:00:00:00 of service solaris11_4-i386 
is required to have credentials but has none.
Automated Installer security has been enabled.

Deleting Credentials

Use the installadm command to delete security credentials. The set-server, set-service, and set-client subcommands can be used to delete security credentials.

Security credentials are also removed when you run the delete-client or delete-service subcommands. The delete-client command removes all client-specific credentials. The delete-service subcommand removes all service-specific credentials as well as any client-specific credentials for all clients of that service and any alias services.

Caution - Deleted credentials cannot be recovered, and the TLS security protocol cannot function without server credentials. AI security will be disabled prior to deleting the server credentials.

Example 28  Deleting Credentials for One Client

This example deletes the private key and certificate, any CA certificate, and any OBP keys that were assigned to the client by using a MAC address.

$ installadm set-client -e mac-addr -x
Example 29  Deleting a CA Certificate

This example deletes the specified CA certificate for all clients that use that CA certificate. The value of the –hash option argument is the hash value of the certificate's X.509 subject, as displayed by the list subcommand and shown in Displaying Client Security Information. Any clients that are using the specified CA certificate are counted and displayed along with a prompt to confirm you want to continue.

$ installadm set-client -x --hash b99588cf
  Identifier hash: b99588cf
  Subject: /C=CZ/O=Oracle Czech s.r.o./OU=install/CN=genca
  Issuer:  /C=CZ/O=Oracle Czech s.r.o./OU=install/CN=genca
  Valid from Apr 27 13:12:27 2012 GMT to Apr 27 13:12:27 2015 GMT
This CA has the following uses:
        WARNING: this is the server CA certificate
Deleting this Certificate Authority certificate can prevent 
    credentials from validating.
Do you want to delete this Certificate Authority certificate [y|N]: y
Deleting all references to Certificate Authority with hash value b99588cf

Caution -In this example, all instances of this CA certificate are deleted for all clients that use it; the affected clients can no longer be authenticated. Once the specified CA certificate is used to generate certificates, the installadm command can no longer generate certificates.

Example 30  Deleting AI Server Security Credentials

This example deletes the AI server's private key and certificate, any CA certificate, and the OBP keys for server authentication only:

$ installadm set-server -x